Configuration of Cisco ASAv with CLI

We had build a lab to understand on how to perform Configuration of Cisco ASAv with CLI

Lab enviroment with a Single ESXi 6.7 Host
– 1 x VYOS Router with 3 x Interface
– 2 x Cisco ASAv with 2 x Interface
– 2 x Workstations


A. Provisioning of VYOS Router

Basic Configuration of VYOS Router with 3 Interfaces

  1. Download and import the VYOS OVA to ESXi 6.7
  2. Enable SSH Login
set service ssh port 22
  1. Configure IP Address for Interfaces
#Set IP Address for Interface
set int ethernet eth0 address dhcp
set int ethernet eth1 address
set int ethernet eth2 address
  1. Configuration of Hostname, DNS Server and Time Zone
set system domain-name
set system host-name vyos
set system name-server
set system name-server
set system time-zone Asia/Kuala_Lumpur
  1. NAT rule to allow workstation behind Cisco ASAv to have access to Internet
#NAT Rule
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address
set nat source rule 10 translation address masquerade

set nat source rule 20 outbound-interface eth0
set nat source rule 20 source address
set nat source rule 20 translation address masquerade
  1. Commit the changes and save to configuration file

B. Provisioning of Cisco ASAv

  1. Login to ESXi 6.7 host with PowerCLI
$ESXi = ""
$User = "root"
$Password = "P@ssw0rd"

Connect-VIServer -Server $ESXi -User $User -Password $Password -WarningAction SilentlyContinue
  1. Define the path of OVA file and import it to ESXi host with PowerCLI
#Import OVF
$OVF = "C:\Users\kwyong\Downloads\asav983-8\asav-esxi.ovf"
Import-VApp -Name ASAv -Datastore EVO -VMHost "" -Source $OVF -DiskStorageFormat Thin

If you encounter the error message below

Import-VApp : 23/10/2018 2:15:41 AM Import-VApp     Access to resource settings on the 
host is restricted to the server that is managing it: ''.

You can SSH to ESXi host to restart the hostd & vpxa services manually to force it think that it is no longer managed by vCenter as i had shutdown the vCenter in my lab to save resource.

/etc/init.d/hostd restart
/etc/init.d/vpxa restart

hostd – Main communication channel between ESXi host and VMKernel. Virtual Center will communicate with hostd for VM creation, Power On/Off and others

vpxa – vCenter Server Agent. It allow vCenter to communicate with hostd prior reaching VMKernel

Disconnect all existing VI Connection and reconnect

#Disconnect All VI Session
Disconnect-VIServer -Server * -Force

Connect-VIServer -Server $ESXi -User $User -Password $Password -WarningAction SilentlyContinue

#Import OVF
$OVF = "C:\Users\kwyong\Downloads\asav983-8\asav-esxi.ovf"
Import-VApp -Name ASAv -Datastore EVO -VMHost "" -Source $OVF -DiskStorageFormat Thin

Modify the Network Adapter
* Network Adapter 1 – Management Interface
* Network Adapter 2 – WAN / Outside Interface
* Network Adapter 3 – LAN / Inside Interface


C. Configuration of Cisco ASAv with CLI

The bandwidth of Cisco ASAv without license is limited to 100Kbps only

  1. Configure the IP Address for inside
conf t 
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address
 no shut
  1. Configure IP Address for outside with default route
 interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address
 no shut

route outside
  1. Basic Configuration
#Change Enable Password
enable password P@ssw0rd

#Set Hostname
hostname ASAv

#Add DNS Servers
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS

#Set Timezone 
clock timezone MYT 8
show clock 
  1. Enable SSH Login
#Create username for SSH login
username admin password P@ssw0rd
#SSH login to use local credential
aaa authentication ssh console LOCAL
#Generate a 2048 RSA Key
crypto key generate rsa modulus 2048
#Allow host to login to SSH
ssh inside

#resolve the error message of 
#no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
ssh version 2
ssh key-exchange group dh-group14-sha1
  1. NAT to allow users to access Internet via the outside interface
object network Site-PROD
 nat (inside,outside) dynamic interface
  1. Allow Ping from Inside to Outside
policy-map global_policy
 class inspection_default
Inspect icmp 
  1. Users from can access to Internet now

Provision and configure the 2nd unit of Cisco ASAv by following Section B and C with the IP Addresses following the diagram

We will continue to configure the Site to Site VPN tunnel in my next post


Enable ASDM (Web Base GUI Management)
1. Download and install Free tftpd64 Server

  1. Copy downloaded asdm-781-150.bin to C:\TFTP

  2. Execute the commands below to upload ASDM and activate it

ciscoasa(config)# copy tftp disk0

Address or name of remote host []?

Source filename []? asdm-781-150.bin

Destination filename [disk0]? asdm-781-150.bin

Accessing tftp://!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-781-150.bin...
Writing file disk0:/asdm-781-150.bin...

26916144 bytes copied in 20.310 secs (1345807 bytes/sec)

#Set the ASDM Image 
ciscoasa(config)# asdm image disk0:/asdm-781-150.bin
#Enable http server for ASDM 
ciscoasa(config)# http server enable
#Allow only to access ASDM from inside interface
ciscoasa(config)# http inside
#Save the configuration
ciscoasa(config)# wri meme
  1. Donwload and install JAVA JRE on the workstation where you will access the ASDM

  2. Login to and click on Install ASDM Lancher

  3. You can manage Cisco ASAv with ASDM now

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top