The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the support of KVM hypervisor, ASAv can be deployed in a very easy manner on Linux and no mysterious hacks are needed anymore.
Unfortunately until a valid license file is installed, ASAv throughput is limited to 100 Kbps. So far I have not found a way how to bypass this limitation as Cisco does not provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also found out that ASAv keeps rebooting when Qemu is started without enabled KVM option. It limits deployment of ASAv Qemu images on Linux/FreeBSD as KVM is available for these operation systems only. Windows users should download and install ASAv edition for VMware hypervisor.
• Linux x86_64 with installed Qemu and KVM
• Cisco ASAv Virtual Appliance - asav932-200.qcow2 or later (you need a service contract to be able to download it)
• CPU with VT-X or AMD-V hardware virtualization support
• 2GB RAM dedicated for ASAv virtual machine
1. ASAv Installation
No luck with Vbox either. I tried to build ASAv VirtualBox machine copying the settings from ASAv running on VMware Workstation - two SCSI disks - ASAv922.vmdk and ASAv9221.vmdk, one CPU, 2048 MB RAM and four virtio-net NICs. ASAv is freezing during the boot and there is message 'Platform F1-GENERIC' in console. This is the outside interface of your Cisco ASA/ASAv firewall. These values are used to set up connectivity from your private cloud to the outside world. The IPs in the specified range are publicly accessible. By default, this network can be accessed from outside of your private cloud.
Installation does not requires any special skills and takes only one reboot. Start the ASAv virtual machine installation with the command.
$ /usr/local/bin/qemu-system-x86_64 -m 2048M -boot c -hda ./asav932-200.qcow2 -enable-kvm
Copy a file coredump.cfg to disk0, if you want ASAv to redirect output to a serial port.
ciscoasa# copy disk0:/coredumpinfo/coredump.cfg disk0:/use_ttyS0
Now you can shutdown your ASAv virtual machine and run it with a serial port redirected to internal Qemu telnet server. Just start your ASAv appliance with an option -serial telnet:0.0.0.0:3333,server,nowait -display none and and issue the telnet command.
$ telnet localhost 3333
2. Running ASAv As Your Personal Firewall
In this part we are going to reconfigure our existing network infrastructure in order to connect ASAv virtual machine as a personal firewall. As we have already mentioned a throughput is limited to 100 kbps until you load a licence file to ASAv. For this reason it is sufficient to experiment with unlicensed ASAv appliance in your home lab but such as deployment is useless in your production network.
Picture 1 - Network Topology
There is a network diagram on the picture that shows connection between network interfaces of ASAv virtual machine and Linux host interfaces. In fact three virtual host interfaces have to be created on Linux - tap0, tap1 and tap2 before the ASAv appliance is started. You do not need to worry about actual commands as I will later share a script that take responsibility for changes in your network configuration.
Below is a list of ASAv network interfaces and their IP addresses assignment. The interfaces are connected with particular tap interfaces by Qemu itself thus no user action is required.
ASAV Interfaces IP Address Assignment
• GigabitEthernet0/0 (management) - 192.168.1.1/24
• GigabitEthernet0/1 (inside) - 192.168.2.1/24
• GigabitEthernet0/2 (outside) - 172.17.100.5/16
Linux Tap Interfaces Map Connection
• Interface tap0 - 192.168.1.2/24 is bridged with ASA Management interface
• Interface tap1 - 192.168.2.2/24 is bridged with ASA inside interface
• Interface tap1 - 172.17.100.5/16 is bridged with ASA outside interface
An outside ASAv interface is connected with an interface tap2 and bridged with a host network interface p3p1. Bridging is done by brctl command that comes with a bridge-utils package installed on Fedora Linux. Again, a script will take responsibility for creating a virtual bridge interface and bridging interfaces tap2 and p3p1 together.
In case of my home network, an interface p31p is connected with a straight Ethernet cable to the LAN interface of my SOHO router with an IP address 172.17.100.1/16. In fact, the router acts as a default gateway for all network hosts in my home network. No route to the network 184.108.40.206/24 is needed on that router as a NAT service is configured on the outside interface of ASAv appliance. NAT translates an IP addresses from the subnet 192.168.1.0/24 that is configured on the inside ASAv interface to a dynamic IP address assigned from DHCP server for the outside ASAv interface. The server is running on the SOHO router and it offers an IP address from a DHCP pool 172.17.0.0/16.
A start-up script start_asa.txt must be started with the root privileges. You only need to make changes according to your configuration and assign executable privileges to the script.
$ chmod +x start_asa.txt
3. ASAv Configuration
Telnet to ASAv Appliance with the command below and configure ASAv as following:
$ telnet localhost 3333
ciscoasa# conf t
ciscoasa(config)# hostname ASAv
Creating Local User
ASAv(config)# username admin password cisco privilege 0
Securing Access to Console
ASAv(config)# aaa authentication serial console LOCAL
Securing Access to Privileged User Mode
ASAv(config)# enable password cisco
Securing SSH Access to VTY
ASAv(config)# aaa authentication ssh console LOCAL
ASAv(config)# ssh 192.168.1.2 255.255.255.255 management
ASAv(config)# ssh version 2
ASAv(config)# interface Management 0/0
ASAv(config-if)# nameif management
ASAv(config-if)# ip address 192.168.1.1 255.255.255.0
ASAv(config-if)# no shutdown
LAN (Inside) Interface
ASAv(config)# interface GigabitEthernet 0/0
ASAv(config-if)# nameif inside
ASAv(config-if)# security-level 100
ASAv(config-if)# ip address 192.168.2.1 255.255.255.0
ASAv(config-if)# no shutdown
WAN (Outside) Interface
ASAv(config-if)# interface gigabitEthernet 0/1
ASAv(config-if)# nameif outside
ASAv(config-if)# security-level 0
ASAv(config-if)# no shutdown
Default Route and DNS Server
ASAv(config)# route outside 0.0.0.0 0.0.0.0 172.17.100.1
ASAv(config)# dns domain-lookup outside
ASAv(config)# dns name-server 220.127.116.11
NAT (PAT Overload)
ASAv(config)# object network my_inside_network
ASAv(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASAv(config-network-object)# nat (inside,outside) dynamic interface
Allowing ICMP Inspection
ASAv(config)# policy-map global_policy
ASAv(config-pmap)# class inspection_default
ASAv(config-pmap-c)# inspect icmp
Many of us want to practice on ASAv for there Certification, Knowledge or for testing. Eve-NG provides the best platform to play Cisco ASAv and practice as much you want.
We will help you step by step to add Cisco ASAv to Eve-NG and we will also tell how to get Trial license for your Cisco ASAv.
But Cisco ASAv comes with Limitation like you can not create Context, or you can not practice HA (Higher Availability). To Practice all these features you have to use Cisco ASA instead of ASAv. If you want download and add ASA read another blog How to add QEMU Cisco ASA to EVE-NG.
Follow Below Steps to add Cisco ASAv to Eve-NG
1. Download Cisco ASAv
2. Upload to Eve-NG
3. Request and addition of the License
1. Download Cisco ASAv – asav952-204.qcow2
If you have access to Cisco Website you can download Cisco ASAv directly or if you do not have access- no worries my friends find below direct link to download – Only for education Purpose.
Download From Cisco
Download from NetworkHunt (Cisco ASAv)
2. Upload the downloaded image to the EVE using for example FileZilla or WinSCP.
Then login as root using SSH protocol.
3. Run following commands to enable telnet access instead of vnc:
apt-get install libguestfs-tools
guestfish -a virtioa.qcow2
4. Wait till your ASAv loads and you will see similar:
5. Continue with following commands to enable telnet access instead of vnc:
mount /dev/sda2 /
6. Clean and fix permissions:
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Cisco offers 30 days free trial license for ASA. There are two methods you can reach out to Cisco for the trial Licesnse-
How to add IOL images to EVE-NG
How to Add Windows 7 host to Eve-NG