We had build a lab to understand on how to perform Configuration of Cisco ASAv with CLI
Lab enviroment with a Single ESXi 6.7 Host
– 1 x VYOS Router with 3 x Interface
– 2 x Cisco ASAv with 2 x Interface
– 2 x Workstations
A. Provisioning of VYOS Router
Basic Configuration of VYOS Router with 3 Interfaces
- Download and import the VYOS OVA to ESXi 6.7
- Enable SSH Login
config
set service ssh port 22
- Configure IP Address for Interfaces
#Set IP Address for Interface
set int ethernet eth0 address dhcp
set int ethernet eth1 address 10.10.10.1/24
set int ethernet eth2 address 20.20.20.1/24
- Configuration of Hostname, DNS Server and Time Zone
set system domain-name aventislab.com
set system host-name vyos
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system time-zone Asia/Kuala_Lumpur
- NAT rule to allow workstation behind Cisco ASAv to have access to Internet
#NAT Rule
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.10.10.0/24
set nat source rule 10 translation address masquerade
set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address 20.20.20.0/24
set nat source rule 20 translation address masquerade
- Commit the changes and save to configuration file
commit
save
B. Provisioning of Cisco ASAv
- Login to ESXi 6.7 host with PowerCLI
$ESXi = "192.168.1.188"
$User = "root"
$Password = "P@ssw0rd"
Connect-VIServer -Server $ESXi -User $User -Password $Password -WarningAction SilentlyContinue
- Define the path of OVA file and import it to ESXi host with PowerCLI
#Import OVF
$OVF = "C:\Users\kwyong\Downloads\asav983-8\asav-esxi.ovf"
Import-VApp -Name ASAv -Datastore EVO -VMHost "192.168.1.188" -Source $OVF -DiskStorageFormat Thin
If you encounter the error message below
Import-VApp : 23/10/2018 2:15:41 AM Import-VApp Access to resource settings on the
host is restricted to the server that is managing it: '192.168.1.186'.
You can SSH to ESXi host to restart the hostd & vpxa services manually to force it think that it is no longer managed by vCenter as i had shutdown the vCenter in my lab to save resource.
/etc/init.d/hostd restart
/etc/init.d/vpxa restart
hostd – Main communication channel between ESXi host and VMKernel. Virtual Center will communicate with hostd for VM creation, Power On/Off and others
vpxa – vCenter Server Agent. It allow vCenter to communicate with hostd prior reaching VMKernel
Disconnect all existing VI Connection and reconnect
#Disconnect All VI Session
Disconnect-VIServer -Server * -Force
Connect-VIServer -Server $ESXi -User $User -Password $Password -WarningAction SilentlyContinue
#Import OVF
$OVF = "C:\Users\kwyong\Downloads\asav983-8\asav-esxi.ovf"
Import-VApp -Name ASAv -Datastore EVO -VMHost "192.168.1.188" -Source $OVF -DiskStorageFormat Thin
Modify the Network Adapter
* Network Adapter 1 – Management Interface
* Network Adapter 2 – WAN / Outside Interface
* Network Adapter 3 – LAN / Inside Interface
C. Configuration of Cisco ASAv with CLI
The bandwidth of Cisco ASAv without license is limited to 100Kbps only
- Configure the IP Address for inside
conf t
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.8.1 255.255.255.0
no shut
- Configure IP Address for outside with default route
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.254 255.255.255.0
no shut
route outside 0.0.0.0 0.0.0.0 10.10.10.1
- Basic Configuration
#Change Enable Password
enable password P@ssw0rd
#Set Hostname
hostname ASAv
domain-name aventislab.com
#Add DNS Servers
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name aventislab.com
#Set Timezone
clock timezone MYT 8
show clock
- Enable SSH Login
#Create username for SSH login
username admin password P@ssw0rd
#SSH login to use local credential
aaa authentication ssh console LOCAL
#Generate a 2048 RSA Key
crypto key generate rsa modulus 2048
#Allow host to login to SSH
ssh 10.10.8.0 255.255.255.0 inside
#resolve the error message of
#no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
ssh version 2
ssh key-exchange group dh-group14-sha1
- NAT to allow users to access Internet via the outside interface
object network Site-PROD
subnet 10.10.8.0 255.255.255.0
nat (inside,outside) dynamic interface
- Allow Ping from Inside to Outside
policy-map global_policy
class inspection_default
Inspect icmp
- Users from 10.10.8.0/24 can access to Internet now
Provision and configure the 2nd unit of Cisco ASAv by following Section B and C with the IP Addresses following the diagram
We will continue to configure the Site to Site VPN tunnel in my next post
Appendix
Enable ASDM (Web Base GUI Management)
1. Download and install Free tftpd64 Server
-
Copy downloaded asdm-781-150.bin to C:\TFTP
-
Execute the commands below to upload ASDM and activate it
ciscoasa(config)# copy tftp disk0
Address or name of remote host []? 192.168.1.171
Source filename []? asdm-781-150.bin
Destination filename [disk0]? asdm-781-150.bin
Accessing tftp://192.168.1.171/asdm-781-150.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-781-150.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm-781-150.bin...
26916144 bytes copied in 20.310 secs (1345807 bytes/sec)
#Set the ASDM Image
ciscoasa(config)# asdm image disk0:/asdm-781-150.bin
#Enable http server for ASDM
ciscoasa(config)# http server enable
#Allow only 10.10.8.0/24 to access ASDM from inside interface
ciscoasa(config)# http 10.10.8.0 255.255.255.0 inside
#Save the configuration
ciscoasa(config)# wri meme
-
Donwload and install JAVA JRE on the workstation where you will access the ASDM
-
Login to https://10.10.8.1 and click on Install ASDM Lancher
-
You can manage Cisco ASAv with ASDM now
