Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, June 3, 2015

Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2)

In my previous post "Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)", I tested the importing both OVA and VMDK file into Workstation and ESXi, but both ways failed. Those files are found and downloaded from Internet for only testing purpose. I believe those are good files and somebody has tested them. The only reason for my failure is because I am not using a right way to do it. In my old testing posts I have tested other versions such as 9.2.1, 8.42 and 8.02. All were successful loaded in either Vmware Workstation or ESXi.

Here are all related posts in this blog:

To find out the why this time failed I searched online again. My searching is based on error message I got from ESXi:
"The OVF package requires support for OVF PropertiesLine 264: Unsupported element 'Property'."

Following two links explains why , also both gives a solution , which is Vmware vCenter will be able to help load ASAv 9.4.1 into ESXi or ESX. Actually Vmeare vSphere Client has to connect to vCenter first then deploy this asav941.ova into ESX/ESXi host.

Here are the procedures when I were using vCenter to help load ASAv 9.4.1 into ESXi. (I will have another post to present how to install vCenter into ESXi. I did meet lots of challenges and I spent almost whole day to figure them out. Some are quite tricky.)

1. ESXi vSphere Client connecting to vCenter5.5. 

I am assuming you have installed vCenter as I did. If not, you can wait my next post to show you how to do it. I managed to install vCenter Appliance into my ESXi server.

2. File -> Delply OVF Template...

Acutally if you have vCenter in your environment, all procedures are same as deploying other virtual machines. 

3. Choose downloaded asav941.ova file as the template.


When license agreement window popped up, accept it then next.

4. Choose vm's name

5. NICs configuration. 

By default, there are 10 NICs and all of them are in same virtual network. In my case, it automatically set to connect to VM DMZ network.

6. Some other parameters.

You can customize some or leave them as default. I did not tell too much difference for those settings.

7. Review all configuration

8. After 3-5 minutes importing process deponding on your connection speed, you should get a new VM in your ESXi. 

And you can power VM on and get booting window from console.

9. VM will reboot itself once then you will get this lovely ciscoasa prompt

During my full rebooting process, it will reboot itself once because some information is not consistent. I will try to record it next time.

10. Basic configuration for SSH

Interface management 0/0 is Network adapter 1. I changed it to VM Internet network to make management interface connect to my client pc network.

There are some basic configuration to get you SSH session enabled on your ASAv.

interface Management0/0
 ip address 192.168.2.12 255.255.255.0
 nameif management
!
ssh 192.168.2.0 255.255.255.0 management
ssh version 2

username admin password cisco
aaa authentication ssh console LOCAL

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 9.4(1)
Device Manager Version 7.4(1)

Compiled on Sat 21-Mar-15 11:43 PDT by builders
System image file is "boot:/asa941-smp-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 7 hours 11 mins

Hardware:   ASAv, 2048 MB RAM, CPU Xeon 5500 series 2294 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB


 0: Ext: Management0/0       : address is 0050.5682.88e4, irq 10
 1: Ext: GigabitEthernet0/0  : address is 0050.5682.6bf2, irq 5
 2: Ext: GigabitEthernet0/1  : address is 0050.5682.7af1, irq 9
 3: Ext: GigabitEthernet0/2  : address is 0050.5682.6bce, irq 11
 4: Ext: GigabitEthernet0/3  : address is 0050.5682.55a3, irq 10
 5: Ext: GigabitEthernet0/4  : address is 0050.5682.837f, irq 5
 6: Ext: GigabitEthernet0/5  : address is 0050.5682.969e, irq 9
 7: Ext: GigabitEthernet0/6  : address is 0050.5682.d2a0, irq 11
 8: Ext: GigabitEthernet0/7  : address is 0050.5682.435c, irq 10
 9: Ext: GigabitEthernet0/8  : address is 0050.5682.3b99, irq 5

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
Active entitlement: ASAv-STD-100M, enforce mode: Eval period

Licensed features for this platform:
Maximum Physical Interfaces       : 10             perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Enabled        perpetual
Cluster                           : Disabled       perpetual

Licensing mode is Smart Licensing

Serial Number: 9ACPEXD4VEW

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 02:21:28.579 UTC Mon Jun 1 2015

11. Guidelines for the ASAv

Context Mode Guidelines
Supported in single context mode only. Does not support multiple context mode.
Failover Guidelines
For failover deployments, make sure that the standby unit has the same model license; for example, both units should be ASAv30s.
Unsupported ASA Features
The ASAv does not support the following ASA features:
  • Clustering
  • Multiple context mode
  • Active/Active failover
  • EtherChannels
  • Shared AnyConnect Premium Licenses


12. Defaults for Smart Software Licensing

Since ASAv only support Smart Software Licensing, the old way in previous post to use Cisco ASA 5540 v8.2(1) Keymaker v1.0 to generate license activation-key is not working any more. There is no activation-key command. By default, the ID certificate is automatically renewed every 6 months, and the license entitlement is renewed every 30 days. Command "license smart register idtoken" will be the new command for register your ASAv.
  • The ASAv default configuration includes a Smart Call Home profile called “License” that specifies the URL for the Licensing Authority.
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  • When you deploy the ASAv, you set the feature tier and throughput level. Only the standard level is available at this time.
license smart
feature tier standard
throughput level {100M | 1G | 2G}
  • Also during deployment, you can optionally configure an HTTP proxy.
call-home
http-proxy ip_address port port

13. ASDM 7.4(1)

Enter following two commands to enable ASDM http access:

http server enable
http 192.168.2.0 255.255.255.0 management

Open your browser and type url https://192.168.2.12/admin

Click the button Install ASDM Launcher, type username admin and password cisco to download ASDM software on your local machine. You may be asked to install Java.


Reference:


10 comments:

  1. Hey man, I read your blog recently, I have a question about Cisco ASA. We have a Cisco 2911 Router with Security license. Two ports connect to dual ISP and one for intranet. PBR and IP SLA are configured on the router, We want to publish our FTP server to the internet so that our clients can access our Server via these two ISPs. But failed. So I want to use Cisco ASA to test, My question is: Can I use a desktop to simulate ASA 9.4.1 to replace Cisco 2911?

    ReplyDelete
  2. vASA9.4.1 has to be installed into vSphere ESX/ESXi system and managed by vCenter. If your Desktop is in the compatible list to install ESX/ESXi, you should be able to use a desktop to simulate vASA9.4.1 to replace your 2911. Of course you will need proper license for your vASA9.4.1 to unlock the limitation.

    ReplyDelete
    Replies
    1. What about the license in this package by default? It will be as "show version" that displayed in this page, right ?

      Delete
    2. You will not need a license to play for all features listed in the show version screen. But until you install a license, throughput of your vASA is limited to 100 Kbps.

      Delete
    3. Thanks a lot ,I install ASAv 9.4.1 successfully in my vCenter, I have a problem when configuring PBR on ASA, when I create an ACL, I want a host to go to the internet via another ISP. But warring messages display when I configure PBR, Here is my configuration:
      ASA941(config)# access-list TW line 1 extended permit ip host 192.168.66.5 any
      ASA941(config)# route-map TW permit 10
      ASA941(config-route-map)# mat
      ASA941(config-route-map)# match ip ad
      ASA941(config-route-map)# match ip address TW
      WARNING: If access-list TW having destination "any\any4\any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without any\any4\any6 in destination.
      ASA941(config-route-map)#


      Any advise? I am not sure if it is a bug, If I want this computer to go anywhere via the outside port, so I need to configure ANY as the destination address.

      Delete
    4. It is not a bug. It is design for the route-map feature.
      ACL is of two types standard ACL and Extended ACL. They are the list of conditions that are applied to traffic travelling across interface. Acceptance and denial can be based on specific conditions.
      1. Standard ACL
      - Checks Source Address
      - Permits or Denies Entire Protocol Suite
      2. Extended ACL
      - Checks Source and Destination Address
      - Generally Permits or Denies Specific Protocols

      You should be able to use following standard ACL to complete your needs:

      access-list TW standard permit host 192.168.66.5

      Delete
    5. Really cool. But.. I need ASA 8.6 for testing and lab. Is it possible to run ASA 8.6 on wmvare or else?

      Delete
    6. It depends on if someone worked on ASA 8.6 before. You wont be able to run original ASA 8.6 file in Vmware or other virtual system directly. So far, I did not see anyone tried to work on it. I do see lots of people using asa8.4.2 in vm.

      Delete
  3. Is there any reason deploying from vshpere does not work, but from vcenter works?
    Is it possible you can export your ovf file, I think I should be able to just use that to make it work.

    ReplyDelete