Cisco ASAv firewall installation

Introduction

The data center networking trend is clear with every network service being slowly virtualized. Network devices that are virtual provide big advantage over their physical counterparts. First, VMs can be provisioned much more quicker and be part of a larger virtual infrastructure, you can easily scale them adding more virtual CPU or memory and you can snapshot them to save their actual state to a file and move them around.

Cisco has also introduced their virtual version of their popular firewall product ASA. It simple called ASAv and runs under popular hypervisors such as VMware vSphere or KVM. You can find the product home page here. This is different product and idea than Cisco ASA 1000V Cloud Firewall.

First you need to get hold of the ova package. You need to be entitled with Cisco to download the software from here or you can do a Google search and find it elsewhere. I had some problems with the latest release 9.3.2(200) where it would stuck at booting loop, the kernel complained about Illegal Instruction. Looks like it did not like my dual Opteron 4180 host. Therefore in this demo we are going to use release 9.3.1 which worked just fine.

Sharping the axe

Before we are going to deploy the actual virtual firewall, lets make some solid ground for it. Firewalls usually divide network into multiple security zones so first we are going to create some, and we use vSwitches for that. In my vSphere deployment I already have default vSwitch called vSwitch0, with a Portgroup called Native that has a connection to outside world.

We are going to create additional two vSwitches that will have following Portgroups: ASAv-inside and ASAv-DMZ respectively, and we are going to attach two linux instances to them. So in the end we end up with simple topology like this:

asav-network

To get started, log in to vSphere and go to Hosts\Configuration\Networking\Virtual Standard Switch, click add Add networking.

Select New Standard Switch, there is no need to assign physical adapter for breakout, we will attach this vSwitch to one of ASAv interfaces. The first port group will be called ASAv-inside with no VLAN tag. Follow the same steps for DMZ vSwitch and its ASAv-DMZ PortGroup.

asav1

Chopping the tree

Back to ASAv, after downloading, log into the vCenter and go to VMs and File\Deploy OVF Template.

Note: I tried to deploy the asav932-200.ova directly into ESXi, however I received and error that The OVF package requires support for OVF properties. Details: Line 264: Unsupported element ‘Property’

Answer the usual OVF deployment question such as name of VM, which Data Center and Cluster will be used. I only have one so it is no brainier. Deployment configuration specifies the number of vCPU that the VM will have and whether it will be part of HA pair. By default ASAv will come with 1 Management Interface Management0/0 and 9 regular interfaces GigabitEthernet0/0 – 0/8. You need to map each of them to correct port group created in previous step.

I am only really using 4 interfaces at this point, so I left the rest connected in ASAv-DMZ portgroup.

asav2

1 Mgmt Interface and 9 Regular Interfaces

Some basic configuration parameters such as IP configuration of management interface can also be entering during wizard. That makes me wonder if those parameters can be passed to template while deploying automatically via script.

asav3

Initial Configuration Options

After quick OVF deployment, you can look at default resource requirements which correspond to deployment size selected in wizard.

asav6

Resource utilization

And finally the ASAv console is available directly through vCenter.

asav3

ASAv Virtual Console

Before you can take full advantage of all ASAv features in your lab you need to license the box. If you are lucky you can ask a Cisco representative for a temporary license or *hint* do a smart Google search for a little piece of software.

Initial Configuration

To actually verify that the ASAs has indeed network connectivity, we will perform initial configuration and test reach ability to Google DNS servers.

#First virtual interface mapped to Native PortGroup
#
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp
#
#Second virtual interface mapped to ASAv-inside PortGroup
#
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
#
#Management virtual interface mapped to Backend PortGroup
#
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.0.1.41 255.255.255.0
#
# DNS, SSH and routing
#
dns server-group DefaultDNS
name-server 8.8.8.8
!
route outside 0.0.0.0 0.0.0.0 10.0.2.1 1
aaa authentication ssh console LOCAL
ssh 10.0.1.0 255.255.255.0 management
username cisco password

Verification

asav5

If you are currently aiming for CCIE Security this is an excellent way how to build your own virtual lab for practice. Coupled with virtual ACS server and IPS appliances it is very easy to test and learn new features, validate syntax for scripts and many more without harming your production environment.

I draw the line in the sand here and leave your imagination what you can do with multiple of these virtual firewalls bundled with couple of virtual routers and virtual machines to re-create complete data center infrastructure sandbox.

Resources

Introduction to ASAv

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asav/quick-start/asav-quick/intro-asav.html

ASAv Product Overview

http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/datasheet-c78-733399.pdf

Deploying ASAv

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-asav.pdf

Advertisements

5 thoughts on “Cisco ASAv firewall installation

  1. Pingback: Qemu ASAv Appliance as Personal Firewall on Linux | Brezular's Blog

  2. Marconio

    Hey, I am having the same problem with versions 9.3.2 – 9.4. ASAv is in constant loop. Have you solved this problem?

    Like

    Reply
    1. Maros Kukan Post author

      Hello Marcanio,

      I haven’t dig into the vSphere logs for more clues. It may be hidden somewhere in instruction set. We have that new version running at work on Intel CPUs. I think to spend some time working out how to run in under VMware Workstation.

      Like

      Reply
  3. Dannielle Playford

    Do you mind if I quote a handful of of your articles or blog posts but I supply credit and sources back to your internet site? My weblog is in the extremely identical region of interest as yours and my visitors would undoubtedly benefit from some of the information you current right here. Please allow me know if this okay with you. Cheers!

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s