ASA 9.21 in Vmware Workstation 10 - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, June 18, 2014

ASA 9.21 in Vmware Workstation 10

There is old post "ASA 8.02 in Vmware Workstation " in this blog posted on Dec 2011. Anothe post "How to Make your own ASA 8.42 in VMware".  Here are all related posts in this blog:

This time I got ASA 9.21 tested.

There are some ASA 9.21 vmware packages from Internet by google-ing:
Downloaded one and hooked it up in the Vmware. It uses 2G memory but little CPU power. Bridge to real network is working perfectly as well. CPU must be 64bit and supporting VT.

My host system info is showing at following screenshot for your information :
If CPU having problem to support VT-x, you may get a error message just like the one shows on my laptop.

Virtual Machine Settings:

Some booting screenshots:

1. ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.2(1)

Compiled on Thu 24-Apr-14 12:14 PDT by builders
System image file is "boot:/asa921-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 11 mins 56 secs

Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2992 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

 0: Ext: Management0/0       : address is 000c.292e.2a14, irq 10
 1: Ext: GigabitEthernet0/0  : address is 000c.292e.2a1e, irq 5
 2: Ext: GigabitEthernet0/1  : address is 000c.292e.2a28, irq 9
 3: Ext: GigabitEthernet0/2  : address is 000c.292e.2a32, irq 10

ASAv Platform License State: Unlicensed
*Install -588553824 vCPU ASAv platform license for full functionality.
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Virtual CPUs                      : 0              perpetual
Maximum Physical Interfaces       : 10             perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has an ASAv VPN Premium license.

Serial Number: 9AGRB5FHKDK
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 04:28:04.639 UTC Thu Jun 19 2014

2. ciscoasa# sh run

: Saved
: Serial Number: 9AGRB5FHKDK
: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2992 MHz
ASA Version 9.2(1)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
interface GigabitEthernet0/0
 nameif EXT
 security-level 0
 ip address
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
ftp mode passive
pager lines 23
logging buffered debugging
mtu EXT 1500
no failover  
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh EXT
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username test password P4ttSyrm33SV8TYp encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
 profile CiscoTAC-1
  no active
  destination address http
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 27
  subscribe-to-alert-group configuration periodic monthly 27
  subscribe-to-alert-group telemetry periodic daily
: end

Verified bridging to host network works by ping from ASA  to host network:

3. License

With "cisco ASA keygen"'s help , you could get all license such as following screenshot shows:

Now you can have fun with ASA 9.21 in your own virtual rack.


  1. ALl the feature works as that on a real hardware ?

  2. Hi
    Where I can get the "cisco ASA keygen"'?

    1. you should be able to find it from Internet for your learning purpose.

  3. The cisco ASA key gen is not activating my ASAv 9.21

  4. This is stupid. This is ASAv and not the standard ASA whereas the original articles are about running the standard ASA in VMWare. The ASA supports clustering,etc whereas the ASAv doesn't !!

  5. thanks running successfully

  6. Hello,

    I am attempting to do this and my ASAv is saying:
    Failed to retrieve permanent activation key.
    not supported yet.
    The Requested activation key was not saved because it is not valid for this system.

    Any ideas how to fix? I really need this working. I am using ESXi 6

  7. take the option Greedy, that works for me

  8. the keymaker is infected by virus !!!!

    1. It is possible. I would suggest run it in an vm environment to get your key then destroy your VM.