Configuration of Cisco ASAv with CLI

We had build a lab to understand on how to perform Configuration of Cisco ASAv with CLI

Lab enviroment with a Single ESXi 6.7 Host
– 1 x VYOS Router with 3 x Interface
– 2 x Cisco ASAv with 2 x Interface
– 2 x Workstations

ASAv-Install-05

A. Provisioning of VYOS Router

Basic Configuration of VYOS Router with 3 Interfaces

  1. Download and import the VYOS OVA to ESXi 6.7
  2. Enable SSH Login
config
set service ssh port 22
  1. Configure IP Address for Interfaces
#Set IP Address for Interface
set int ethernet eth0 address dhcp
set int ethernet eth1 address 10.10.10.1/24
set int ethernet eth2 address 20.20.20.1/24
  1. Configuration of Hostname, DNS Server and Time Zone
set system domain-name aventislab.com
set system host-name vyos
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system time-zone Asia/Kuala_Lumpur
  1. NAT rule to allow workstation behind Cisco ASAv to have access to Internet
#NAT Rule
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.10.10.0/24
set nat source rule 10 translation address masquerade

set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 20.20.20.0/24
set nat source rule 20 translation address masquerade
  1. Commit the changes and save to configuration file
commit
save

B. Provisioning of Cisco ASAv

  1. Login to ESXi 6.7 host with PowerCLI
$ESXi = "192.168.1.188"
$User = "root"
$Password = "P@ssw0rd"

Connect-VIServer -Server $ESXi -User $User -Password $Password -WarningAction SilentlyContinue
  1. Define the path of OVA file and import it to ESXi host with PowerCLI
#Import OVF
$OVF = "C:\Users\kwyong\Downloads\asav983-8\asav-esxi.ovf"
Import-VApp -Name ASAv -Datastore EVO -VMHost "192.168.1.188" -Source $OVF -DiskStorageFormat Thin

If you encounter the error message below

Import-VApp : 23/10/2018 2:15:41 AM Import-VApp     Access to resource settings on the 
host is restricted to the server that is managing it: '192.168.1.186'.

You can SSH to ESXi host to restart the hostd & vpxa services manually to force it think that it is no longer managed by vCenter as i had shutdown the vCenter in my lab to save resource.

/etc/init.d/hostd restart
/etc/init.d/vpxa restart

hostd – Main communication channel between ESXi host and VMKernel. Virtual Center will communicate with hostd for VM creation, Power On/Off and others

vpxa – vCenter Server Agent. It allow vCenter to communicate with hostd prior reaching VMKernel

Disconnect all existing VI Connection and reconnect

#Disconnect All VI Session
Disconnect-VIServer -Server * -Force

Connect-VIServer -Server $ESXi -User $User -Password $Password -WarningAction SilentlyContinue

#Import OVF
$OVF = "C:\Users\kwyong\Downloads\asav983-8\asav-esxi.ovf"
Import-VApp -Name ASAv -Datastore EVO -VMHost "192.168.1.188" -Source $OVF -DiskStorageFormat Thin

Modify the Network Adapter
* Network Adapter 1 – Management Interface
* Network Adapter 2 – WAN / Outside Interface
* Network Adapter 3 – LAN / Inside Interface

ASAv-Install-01

C. Configuration of Cisco ASAv with CLI

The bandwidth of Cisco ASAv without license is limited to 100Kbps only

  1. Configure the IP Address for inside
conf t 
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.8.1 255.255.255.0
 no shut
  1. Configure IP Address for outside with default route
 interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.10.10.254 255.255.255.0
 no shut

route outside 0.0.0.0 0.0.0.0 10.10.10.1
  1. Basic Configuration
#Change Enable Password
enable password P@ssw0rd

#Set Hostname
hostname ASAv
domain-name aventislab.com

#Add DNS Servers
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name aventislab.com

#Set Timezone 
clock timezone MYT 8
show clock 
  1. Enable SSH Login
#Create username for SSH login
username admin password P@ssw0rd
#SSH login to use local credential
aaa authentication ssh console LOCAL
#Generate a 2048 RSA Key
crypto key generate rsa modulus 2048
#Allow host to login to SSH
ssh 10.10.8.0 255.255.255.0 inside

#resolve the error message of 
#no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
ssh version 2
ssh key-exchange group dh-group14-sha1
  1. NAT to allow users to access Internet via the outside interface
object network Site-PROD
 subnet 10.10.8.0 255.255.255.0
 nat (inside,outside) dynamic interface
  1. Allow Ping from Inside to Outside
policy-map global_policy
 class inspection_default
Inspect icmp 
  1. Users from 10.10.8.0/24 can access to Internet now

Provision and configure the 2nd unit of Cisco ASAv by following Section B and C with the IP Addresses following the diagram

We will continue to configure the Site to Site VPN tunnel in my next post

Appendix

Enable ASDM (Web Base GUI Management)
1. Download and install Free tftpd64 Server

  1. Copy downloaded asdm-781-150.bin to C:\TFTP
    ASAv-Install-02

  2. Execute the commands below to upload ASDM and activate it

ciscoasa(config)# copy tftp disk0

Address or name of remote host []? 192.168.1.171

Source filename []? asdm-781-150.bin

Destination filename [disk0]? asdm-781-150.bin

Accessing tftp://192.168.1.171/asdm-781-150.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-781-150.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm-781-150.bin...

26916144 bytes copied in 20.310 secs (1345807 bytes/sec)

#Set the ASDM Image 
ciscoasa(config)# asdm image disk0:/asdm-781-150.bin
#Enable http server for ASDM 
ciscoasa(config)# http server enable
#Allow only 10.10.8.0/24 to access ASDM from inside interface
ciscoasa(config)# http 10.10.8.0 255.255.255.0 inside
#Save the configuration
ciscoasa(config)# wri meme
  1. Donwload and install JAVA JRE on the workstation where you will access the ASDM

  2. Login to https://10.10.8.1 and click on Install ASDM Lancher
    ASAv-Install-03

  3. You can manage Cisco ASAv with ASDM now
    ASAv-Install-04

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top