Recently I was researching on Cisco virtualization including Cisco IOU/IOL, Virtual Internet Routing Lab, Cisco Modelling Labs and then I stumbled on running the Cisco ASA in VMware. Naturally, I was quite interested in it so I decided to set it up on my laptop. You can download the ASAv OVA file from Cisco’s site although you need to be registered (and probably have some support contract with Cisco). You can do a web search on how to set up the Cisco ASA virtual appliance in VMware.
Downloads Home Products Security Firewalls Adaptive Security Appliances (ASA) Adaptive Security Virtual Appliance (ASAv). Adaptive Security. Software - cisco asa virtual appliance. JumpBox for Omeka Web Publishing, JumpBox for the vTiger CRM System, JumpBox for DokuWiki Wiki System. Virtual Serial Port ActiveX Control is a powerful tool for professional developers that allows your application to create custom additional virtual serial port in system and fully control it. Created virtual serial port looks like real serial port for other Windows applications. Jun 12, 2014 - Cisco released their new ASAv virtual appliance, an updated virtual offering for. Once downloaded login to the vCenter environment and click “File” then. Ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)#. Cisco Firepower Threat Defense (FTD) is a unified software image, which is a combination of Cisco ASA and Cisco FirePOWER services features that can be deployed on Cisco Firepower 4100 and the Firepower 9300 Series appliances as well as on the ASA 5506-X,ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA. The Adaptive Security Virtual Appliance is a virtualized network security solution. It supports both traditional and next-generation software-defined networks (SDN), as well as Cisco Application Centric Infrastructure (ACI) environments. The ASAv provides policy enforcement and threat inspection across heterogeneous, multisite environments. From the 'Security Products' one can choose 'Cisco Virtual Appliance Demo License' and there are the links to get a 45 day DEMO license for: Cisco Email Security Appliance (ESA) Virtual Appliance and Cisco Web Security Appliance(WSA) Virtual Appliance.
CCNA Training – Resources (Intense)
In my own setup, I have a Cisco ASAv with software version 9.2(1) running in VMware Workstation 10.
Cisco Asa Firewall
For this article, I will show you how to integrate the VMware ASAv with a network I have in GNS3.
Note: There is a way to run ASA 8.4(2) in VMware but that is not the focus of this article. I am running the Cisco ASAv which is built as a virtual appliance.
First, we need to sort out the VMware networking. For my ASAv VMware appliance, I am using four interfaces – one management interface and three data interfaces. The way the interfaces show up in the ASA’s show version output (screenshot above) is the way they are arranged in the VMware settings page:
Therefore, Management0/0 is the first Network Adapter; GigabitEthernet0/0 is Network Adapter 2 and so on. If you want to be more certain about which VMware network adapters correspond to interfaces on the ASA, you can check the MAC addresses. For example, if I select the ‘Network Adapter’ and click on the Advanced button, I will see the MAC address used by this interface:
I can then compare that MAC address to the MAC address of the ASAv interfaces:
Once you have matched the VMware network adapters to the ASA’s interfaces, you are ready to integrate it with GNS3. However, we need to make some VMware networking changes depending on what we want to achieve. In my own case, I want to use two interfaces on the ASAv – Gi0/0 and Gi0/1 – one as the inside interface and one as the outside interface. I will use the Bridged networking mode for the VMware network adapter 2 (Gi0/0) and Host-only networking mode for the VMware network adapter 3 (Gi0/1). I will leave the others as they are since I will not be bringing them up.
In VMware, you can change the settings of the virtual networking modes by navigating to Edit à Virtual Network Editor. As you can see below, I have bridged VMnet0 to my Wireless NIC. You will also notice the subnet to which the Host-only networking type belongs i.e. 192.168.234.0. You can change this if you wish.
Before going to GNS3, let’s configure the ASA interfaces and verify that it can connect to the host OS both on the Gi0/0 and Gi0/1 interfaces. The configuration on the ASA is as follows:
Vmware Virtual Appliance Download
My laptop has an IP address of 192.168.1.4 on its Wireless NIC while it has an IP address of 192.168.234.1 on the VMware Host-only network adapter (VMnet1):
To test connectivity, I will ping my laptop (the host OS) from the ASA.
Great! We have connectivity. If you don’t have connectivity, check your host PC’s firewall settings or your antivirus program that is also acting as a firewall application.
Now we are ready to connect to GNS3. We will be using the simple topology below – the Cloud represents the ASAv:
We need to configure the Cloud with two interfaces: one for my wireless NIC and the other for the VMware host-only network adapter.
You may also want to change the symbol of the cloud to match that of an ASA and also change the hostname to something like “ASAv”. At the end of our topology configuration, we have what is shown below:
For completeness sake, let us configure the routers and see that we have communication through the ASAv.
I will also add a simple NAT configuration on the ASAv to allow dynamic translation to the IP address of the ASA’s outside interface for traffic from the INSIDE_RTR to the outside:
So let’s test: I will open a telnet connection to the OUTSIDE_RTR (192.168.1.101) from the INSIDE_RTR.
As you can see, the translation was done meaning the traffic passed through the ASAv.
Now that we have seen how to integrate an ASA running in VMware with GNS3, I want to talk about how I feel about it. Was it worth it? Not for me (in a lab environment) considering the fact that you can run the Cisco ASA directly in GNS3 using QEMU. The guys at GNS3 may not agree with me because it seems supporting QEMU has been a nightmare for them.
A plus is that you can run ASA version 9.x in VMware which I don’t think is currently supported natively in GNS3 – GNS3 supports ASA version 8.4(2). Actually, this was the primary reason I set up the ASA in VMware was so that I could test out new features in the ASA version 9.x such as clustering. However, the ASAv does not support clustering *sigh. Actually, it doesn’t support a couple of other things such as Active/Active failover and multiple context modes. You can view a list of the unsupported features here.
Maybe from a performance standpoint, running the ASA (not ASAv because of the unsupported features) in VMware could be a better option but I don’t have much insight into this.
Conclusion
In summary, it was fun setting this up; however, I’m not as ecstatic as I thought I would be mostly because of the unsupported features. It is good knowledge to have though because GNS3 may be moving away from QEMU towards more virtualization.
Cisco Asa Virtual Appliance Trial
I hope you have found this article insightful.
Further reading
- Cisco Adaptive Security Virtual Appliance (ASAv): http://www.cisco.com/c/en/us/products/security/virtual-adaptive-security-appliance-firewall/index.html
- Create a Cisco ASA VM in VMware Fusion: http://binarynature.blogspot.com/2014/01/create-cisco-asa-vmware-fusion.html