The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the support of KVM hypervisor, ASAv can be deployed in a very easy manner on Linux and no mysterious hacks are needed anymore.
Unfortunately until a valid license file is installed, ASAv throughput is limited to 100 Kbps. So far I have not found a way how to bypass this limitation as Cisco does not provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also found out that ASAv keeps rebooting when Qemu is started without enabled KVM option. It limits deployment of ASAv Qemu images on Linux/FreeBSD as KVM is available for these operation systems only. Windows users should download and install ASAv edition for VMware hypervisor.
Software Requirements
• Linux x86_64 with installed Qemu and KVM
• Cisco ASAv Virtual Appliance - asav932-200.qcow2 or later (you need a service contract to be able to download it)
HardwareRequirements
• CPU with VT-X or AMD-V hardware virtualization support
• 2GB RAM dedicated for ASAv virtual machine
1. ASAv Installation
Installation does not requires any special skills and takes only one reboot. Start the ASAv virtual machine installation with the command.
$ /usr/local/bin/qemu-system-x86_64 -m 2048M -boot c -hda ./asav932-200.qcow2 -enable-kvm
Copy a file coredump.cfg to disk0, if you want ASAv to redirect output to a serial port.
ciscoasa>enable
ciscoasa# copy disk0:/coredumpinfo/coredump.cfg disk0:/use_ttyS0
Now you can shutdown your ASAv virtual machine and run it with a serial port redirected to internal Qemu telnet server. Just start your ASAv appliance with an option -serial telnet:0.0.0.0:3333,server,nowait -display none and and issue the telnet command.
$ telnet localhost 3333
2. Running ASAv As Your Personal Firewall
In this part we are going to reconfigure our existing network infrastructure in order to connect ASAv virtual machine as a personal firewall. As we have already mentioned a throughput is limited to 100 kbps until you load a licence file to ASAv. For this reason it is sufficient to experiment with unlicensed ASAv appliance in your home lab but such as deployment is useless in your production network.
Picture 1 - Network Topology
There is a network diagram on the picture that shows connection between network interfaces of ASAv virtual machine and Linux host interfaces. In fact three virtual host interfaces have to be created on Linux - tap0, tap1 and tap2 before the ASAv appliance is started. You do not need to worry about actual commands as I will later share a script that take responsibility for changes in your network configuration.
Below is a list of ASAv network interfaces and their IP addresses assignment. The interfaces are connected with particular tap interfaces by Qemu itself thus no user action is required.
ASAV Interfaces IP Address Assignment
• GigabitEthernet0/0 (management) - 192.168.1.1/24
• GigabitEthernet0/1 (inside) - 192.168.2.1/24
• GigabitEthernet0/2 (outside) - 172.17.100.5/16
Linux Tap Interfaces Map Connection
• Interface tap0 - 192.168.1.2/24 is bridged with ASA Management interface
• Interface tap1 - 192.168.2.2/24 is bridged with ASA inside interface
• Interface tap1 - 172.17.100.5/16 is bridged with ASA outside interface
An outside ASAv interface is connected with an interface tap2 and bridged with a host network interface p3p1. Bridging is done by brctl command that comes with a bridge-utils package installed on Fedora Linux. Again, a script will take responsibility for creating a virtual bridge interface and bridging interfaces tap2 and p3p1 together.
In case of my home network, an interface p31p is connected with a straight Ethernet cable to the LAN interface of my SOHO router with an IP address 172.17.100.1/16. In fact, the router acts as a default gateway for all network hosts in my home network. No route to the network 182.168.1.0/24 is needed on that router as a NAT service is configured on the outside interface of ASAv appliance. NAT translates an IP addresses from the subnet 192.168.1.0/24 that is configured on the inside ASAv interface to a dynamic IP address assigned from DHCP server for the outside ASAv interface. The server is running on the SOHO router and it offers an IP address from a DHCP pool 172.17.0.0/16.
A start-up script start_asa.txt must be started with the root privileges. You only need to make changes according to your configuration and assign executable privileges to the script.
$ chmod +x start_asa.txt
3. ASAv Configuration
Telnet to ASAv Appliance with the command below and configure ASAv as following:
$ telnet localhost 3333
Hostname
ciscoasa> enable
ciscoasa# conf t
ciscoasa(config)# hostname ASAv
Creating Local User
ASAv(config)# username admin password cisco privilege 0
Securing Access to Console
ASAv(config)# aaa authentication serial console LOCAL
Securing Access to Privileged User Mode
ASAv(config)# enable password cisco
Securing SSH Access to VTY
ASAv(config)# aaa authentication ssh console LOCAL
ASAv(config)# ssh 192.168.1.2 255.255.255.255 management
ASAv(config)# ssh version 2
Management Interface
ASAv(config)# interface Management 0/0
ASAv(config-if)# management-only
ASAv(config-if)# nameif management
ASAv(config-if)# ip address 192.168.1.1 255.255.255.0
ASAv(config-if)# no shutdown
ASAv(config-if)# exit
LAN (Inside) Interface
ASAv(config)# interface GigabitEthernet 0/0
ASAv(config-if)# nameif inside
ASAv(config-if)# security-level 100
ASAv(config-if)# ip address 192.168.2.1 255.255.255.0
ASAv(config-if)# no shutdown
ASAv(config-if)# exit
WAN (Outside) Interface
ASAv(config-if)# interface gigabitEthernet 0/1
ASAv(config-if)# nameif outside
ASAv(config-if)# security-level 0
ASAv(config-if)# no shutdown
ASAv(config-if)# exit
Default Route and DNS Server
ASAv(config)# route outside 0.0.0.0 0.0.0.0 172.17.100.1
ASAv(config)# dns domain-lookup outside
ASAv(config)# dns name-server 8.8.8.8
NAT (PAT Overload)
ASAv(config)# object network my_inside_network
ASAv(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASAv(config-network-object)# nat (inside,outside) dynamic interface
ASAv(config-network-object)# exit
Allowing ICMP Inspection
ASAv(config)# policy-map global_policy
ASAv(config-pmap)# class inspection_default
ASAv(config-pmap-c)# inspect icmp
References
https://maroskukan.wordpress.com/2015/01/20/up-and-running-with-asav/
https://community.gns3.com/thread/5359
https://www.youtube.com/watch?v=5WNxPJqQ-yk
https://www.fir3net.com/Firewalls/Cisco/how-to-configure-nat-of-asa-83.html