Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi

I were keeping testing Cisco ASA in Vmware environment for my own studying purpose. Recently I got ASAv 9.5.1 and installed into Vmware workstation 10 and ESXi 5.5.

Here are all related posts in this blog:

• ASA 8.02 in Vmware Workstation
• ASA 8.42 in VMware Workstation
• ASA 9.21 in Vmware Workstation 10
• Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)
• Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2)
• Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi 

More configuration posts:

• Cisco ASA 5500-X Series Software 9.x Configuration Notes (Tips and Tricks)
• Cisco ASA Remote Access VPN Configuration 2 - Anyconnect VPN Configuration
• Cisco ASA Remote Access VPN Configuration 1 - Clientless SSL VPN Configuration
• Cisco ASAv HA Configurations

1. Download Software from Cisco Software Website:

The latest is 9.5.2 200. I am using 9.5.1 200 as an example for this post.

After downloaded the package, unzipped it and you will get 7 files.

asav-esxi.ovf will be used for esxi and workstation environment.

2. Import into Vmware ESXi or Workstation

2.1 in ESXi 5.5

Choose Menu File -> Deploy OVF Template...

 Follow screen instruction to click next:

 Network Mapping will be very straightforward since all interface are listing with mapping name in the ASAv.

Management0-0 is first interface. 

2.2 in Vmware Workstation 10
Choose Open from File menu:

 Following screen , click import:

After import done, you will get a new Virtual Machine:

Network Adapter 1 is first interface which is Management0/0 in ASAv. 

Booting Screen:

3. Verify

ASAv-Pri#   show version Cisco Adaptive Security Appliance Software Version 9.5(1)200 Device Manager Version 7.5(1) Compiled on Fri 28-Aug-15 15:56 PDT by builders System image file is "boot:/asa951-200-smp-k8.bin" Config file at boot was "startup-config" ASAv-Pri up 1 hour 5 mins failover cluster up 15 hours 54 mins Hardware:   ASAv, 1024 MB RAM, CPU Xeon 5500 series 2294 MHz, Model Id:   ASAv5 Internal ATA Compact Flash, 256MB Slot 1: ATA Compact Flash, 8192MB BIOS Flash Firmware Hub @ 0x0, 0KB  0: Ext: Management0/0       : address is 000c.291a.f3fd, irq 10  1: Ext: GigabitEthernet0/0  : address is 000c.291a.f307, irq 5  2: Ext: GigabitEthernet0/1  : address is 000c.291a.f311, irq 9  3: Ext: GigabitEthernet0/2  : address is 000c.291a.f31b, irq 11  4: Ext: GigabitEthernet0/3  : address is 000c.291a.f325, irq 10  5: Ext: GigabitEthernet0/4  : address is 000c.291a.f32f, irq 5  6: Ext: GigabitEthernet0/5  : address is 000c.291a.f339, irq 9  7: Ext: GigabitEthernet0/6  : address is 000c.291a.f343, irq 11  8: Ext: GigabitEthernet0/7  : address is 000c.291a.f34d, irq 10  9: Ext: GigabitEthernet0/8  : address is 000c.291a.f357, irq 5 License mode: Smart Licensing ASAv Platform License State: Unlicensed No active entitlement: no feature tier and no throughput level configured *Memory resource allocation is more than the permitted limit. Licensed features for this platform: Maximum Physical Interfaces       : 10 Maximum VLANs                     : 25 Inside Hosts                      : Unlimited Failover                          : Active/Standby Encryption-DES                    : Enabled Encryption-3DES-AES               : Enabled Security Contexts                 : 0 GTP/GPRS                          : Disabled AnyConnect Premium Peers          : 2 AnyConnect Essentials             : Disabled Other VPN Peers                   : 50 Total VPN Peers                   : 50 Shared License                    : Disabled AnyConnect for Mobile             : Disabled AnyConnect for Cisco VPN Phone    : Disabled Advanced Endpoint Assessment      : Disabled Total UC Proxy Sessions           : 2 Botnet Traffic Filter             : Enabled Cluster                           : Disabled License mode: Smart Licensing Failover cluster licensed features for this platform: Maximum Physical Interfaces       : 10 Maximum VLANs                     : 25 Inside Hosts                      : Unlimited Failover                          : Active/Standby Encryption-DES                    : Enabled Encryption-3DES-AES               : Enabled Security Contexts                 : 0 GTP/GPRS                          : Disabled AnyConnect Premium Peers          : 2 AnyConnect Essentials             : Disabled Other VPN Peers                   : 50 Total VPN Peers                   : 50 Shared License                    : Disabled AnyConnect for Mobile             : Disabled AnyConnect for Cisco VPN Phone    : Disabled Advanced Endpoint Assessment      : Disabled Total UC Proxy Sessions           : 2 Botnet Traffic Filter             : Enabled Cluster                           : Disabled Licensing mode is Smart Licensing Serial Number: 9ALU3EW6LDF Image type          : Release Key version         : A Configuration last modified by enable_1 at 17:02:38.079 UTC Wed Jan 27 2016 ASAv-Pri# ASAv-Pri# sh run : Saved : : Serial Number: 9ALU3EW6LDF : Hardware:   ASAv, 1024 MB RAM, CPU Xeon 5500 series 2294 MHz : ASA Version 9.5(1)200 ! hostname ASAv-Pri enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface GigabitEthernet0/0  nameif EXT  security-level 0  ip address 172.17.3.11 255.255.255.0 standby 172.17.3.12 ! interface GigabitEthernet0/1  description test  no nameif  no security-level  no ip address ! interface GigabitEthernet0/2  nameif INT  security-level 100  ip address 10.94.2.11 255.255.255.0 standby 10.94.2.12 ! interface GigabitEthernet0/3  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet0/4  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet0/5  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet0/6  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet0/7  shutdown  no nameif  no security-level  no ip address ! interface GigabitEthernet0/8  description LAN/STATE Failover Interface ! interface Management0/0  management-only  nameif mgmt  security-level 0  ip address 192.168.2.11 255.255.255.0 standby 192.168.2.12 ! ftp mode passive pager lines 23 logging enable logging asdm informational mtu EXT 1500 mtu INT 1500 mtu mgmt 1500 failover failover lan unit secondary failover lan interface LANFAIL GigabitEthernet0/8 failover key ***** failover link LANFAIL GigabitEthernet0/8 failover interface ip LANFAIL 10.10.1.1 255.255.255.0 standby 10.10.1.2 no monitor-interface mgmt icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.2.0 255.255.255.0 mgmt no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint _SmartCallHome_ServerCA  no validation-usage  crl configure crypto ca trustpool policy crypto ca certificate chain _SmartCallHome_ServerCA  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491     308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130  .......     6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28     6c2527b9 deb78458 c61f381e a4c4cb66   quit telnet timeout 5 ssh stricthostkeycheck ssh 192.168.2.0 255.255.255.0 mgmt ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy username test password P4ttSyrm33SV8TYp encrypted ! class-map inspection_default  match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map  parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy  class inspection_default   inspect ip-options   inspect netbios   inspect rtsp   inspect sunrpc   inspect tftp   inspect xdmcp   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect esmtp   inspect sqlnet   inspect sip   inspect skinny policy-map type inspect dns migrated_dns_map_1  parameters   message-length maximum client auto   message-length maximum 512 ! service-policy global_policy global prompt hostname context call-home reporting anonymous prompt 2 call-home  profile License   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService   destination transport-method http  profile CiscoTAC-1   no active   destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService   destination address email [email protected]   destination transport-method http   subscribe-to-alert-group diagnostic   subscribe-to-alert-group environment   subscribe-to-alert-group inventory periodic monthly   subscribe-to-alert-group configuration periodic monthly   subscribe-to-alert-group telemetry periodic daily Cryptochecksum:deb136269827f21fc1c142fac079704b : end ASAv-Pri#