Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Saturday, March 5, 2016

Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi

I were keeping testing Cisco ASA in Vmware environment for my own studying purpose. Recently I got ASAv 9.5.1 and installed into Vmware workstation 10 and ESXi 5.5.

Here are all related posts in this blog:
More configuration posts:
1. Download Software from Cisco Software Website:

The latest is 9.5.2 200. I am using 9.5.1 200 as an example for this post.




After downloaded the package, unzipped it and you will get 7 files.

asav-esxi.ovf will be used for esxi and workstation environment.

2. Import into Vmware ESXi or Workstation

2.1 in ESXi 5.5

Choose Menu File -> Deploy OVF Template...
 Follow screen instruction to click next:
 Network Mapping will be very straightforward since all interface are listing with mapping name in the ASAv.
Management0-0 is first interface. 




2.2 in Vmware Workstation 10
Choose Open from File menu:
 Following screen , click import:
After import done, you will get a new Virtual Machine:
Network Adapter 1 is first interface which is Management0/0 in ASAv. 

Booting Screen:



3. Verify



ASAv-Pri#   show version

Cisco Adaptive Security Appliance Software Version 9.5(1)200
Device Manager Version 7.5(1)

Compiled on Fri 28-Aug-15 15:56 PDT by builders
System image file is "boot:/asa951-200-smp-k8.bin"
Config file at boot was "startup-config"

ASAv-Pri up 1 hour 5 mins
failover cluster up 15 hours 54 mins

Hardware:   ASAv, 1024 MB RAM, CPU Xeon 5500 series 2294 MHz,
Model Id:   ASAv5
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB


 0: Ext: Management0/0       : address is 000c.291a.f3fd, irq 10
 1: Ext: GigabitEthernet0/0  : address is 000c.291a.f307, irq 5
 2: Ext: GigabitEthernet0/1  : address is 000c.291a.f311, irq 9
 3: Ext: GigabitEthernet0/2  : address is 000c.291a.f31b, irq 11
 4: Ext: GigabitEthernet0/3  : address is 000c.291a.f325, irq 10
 5: Ext: GigabitEthernet0/4  : address is 000c.291a.f32f, irq 5
 6: Ext: GigabitEthernet0/5  : address is 000c.291a.f339, irq 9
 7: Ext: GigabitEthernet0/6  : address is 000c.291a.f343, irq 11
 8: Ext: GigabitEthernet0/7  : address is 000c.291a.f34d, irq 10
 9: Ext: GigabitEthernet0/8  : address is 000c.291a.f357, irq 5

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:
Maximum Physical Interfaces       : 10
Maximum VLANs                     : 25
Inside Hosts                      : Unlimited
Failover                          : Active/Standby
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 0
GTP/GPRS                          : Disabled
AnyConnect Premium Peers          : 2
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 50
Total VPN Peers                   : 50
Shared License                    : Disabled
AnyConnect for Mobile             : Disabled
AnyConnect for Cisco VPN Phone    : Disabled
Advanced Endpoint Assessment      : Disabled
Total UC Proxy Sessions           : 2
Botnet Traffic Filter             : Enabled
Cluster                           : Disabled


License mode: Smart Licensing

Failover cluster licensed features for this platform:
Maximum Physical Interfaces       : 10
Maximum VLANs                     : 25
Inside Hosts                      : Unlimited
Failover                          : Active/Standby
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 0
GTP/GPRS                          : Disabled
AnyConnect Premium Peers          : 2
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 50
Total VPN Peers                   : 50
Shared License                    : Disabled
AnyConnect for Mobile             : Disabled
AnyConnect for Cisco VPN Phone    : Disabled
Advanced Endpoint Assessment      : Disabled
Total UC Proxy Sessions           : 2
Botnet Traffic Filter             : Enabled
Cluster                           : Disabled

Licensing mode is Smart Licensing

Serial Number: 9ALU3EW6LDF

Image type          : Release
Key version         : A

Configuration last modified by enable_1 at 17:02:38.079 UTC Wed Jan 27 2016
ASAv-Pri#

ASAv-Pri# sh run
: Saved

:
: Serial Number: 9ALU3EW6LDF
: Hardware:   ASAv, 1024 MB RAM, CPU Xeon 5500 series 2294 MHz
:
ASA Version 9.5(1)200
!
hostname ASAv-Pri
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif EXT
 security-level 0
 ip address 172.17.3.11 255.255.255.0 standby 172.17.3.12
!
interface GigabitEthernet0/1
 description test
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 nameif INT
 security-level 100
 ip address 10.94.2.11 255.255.255.0 standby 10.94.2.12
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/8
 description LAN/STATE Failover Interface
!
interface Management0/0
 management-only
 nameif mgmt
 security-level 0
 ip address 192.168.2.11 255.255.255.0 standby 192.168.2.12
!
ftp mode passive
pager lines 23
logging enable
logging asdm informational
mtu EXT 1500
mtu INT 1500
mtu mgmt 1500
failover
failover lan unit secondary
failover lan interface LANFAIL GigabitEthernet0/8
failover key *****
failover link LANFAIL GigabitEthernet0/8
failover interface ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2
no monitor-interface mgmt
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
 .......
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 mgmt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username test password P4ttSyrm33SV8TYp encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect netbios
  inspect rtsp
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sip
  inspect skinny
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile License
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination transport-method http
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:deb136269827f21fc1c142fac079704b
: end

ASAv-Pri#



4 comments:

  1. Please help to verify the link 9.5.1. I can't download

    ReplyDelete
  2. Please help i need to download the image and run it on the VM.

    ReplyDelete
  3. to download the vm from CISCO ri you need to have a bussines account since it is not free or opensource

    ReplyDelete