You are on page 1of 4

Qemu ASAv Appliance as Personal Firewall

on Linux
Posted on January 26, 2015 by Radovan BrezulaUpdated on April 27, 2015 9 Comments

The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on
KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco
supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the
support of KVM hypervisor, ASAv can be deployed in a very easy manner on Linux
and no mysterious hacks are needed anymore.

Unfortunately until a valid license file is installed, ASAv throughput is limited to 100
Kbps. So far, I have not found a way how to bypass this limitation as Cisco does not
provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also
found out that ASAv keeps rebooting when Qemu is started without enabled KVM
option. It limits deployment of ASAv Qemu images on Linux/FreeBSD, as KVM is
available for these operation systems only. Windows users should download and
install ASAv edition for VMware hypervisor.

Software Requirements
Linux x86_64 with installed Qemu and KVM
Cisco ASAv Virtual Appliance - asav932-200.qcow2 or later (you need a service
contract to be able to download it)
Hardware Requirements
CPU with VT-X or AMD-V hardware virtualization support
2GB RAM dedicated for ASAv virtual machine
1. ASAv Installation
Installation does not requires any special skills and takes only one reboot. Start the
ASAv virtual machine installation with the command.

$ /usr/local/bin/qemu-system-x86_64 -m 2048M -boot c -hda ./asav932-200.qcow2


-enable-kvm
Copy a file coredump.cfg to disk0, if you want ASAv to redirect output to a serial
port.

ciscoasa>enable
ciscoasa# copy disk0:/coredumpinfo/coredump.cfg disk0:/use_ttyS0
Now you can shutdown your ASAv virtual machine and run it with a serial port
redirected to internal Qemu telnet server. Just start your ASAv appliance with an
option -serial telnet:0.0.0.0:3333,server,nowait -display none and issue the telnet
command.

$ telnet localhost 3333


2. Running ASAv As Your Personal Firewall
In this part we are going to reconfigure our existing network infrastructure in order to
connect ASAv virtual machine as a personal firewall. As we have already mentioned
a throughput is limited to 100 kbps until you load a licence file to ASAv. For this
reason, it is sufficient to experiment with unlicensed ASAv appliance in your home
lab but such as deployment is useless in your production network.
Picture 1 - Network Topology

There is a network diagram on the picture that shows connection between network
interfaces of ASAv virtual machine and Linux host interfaces. In fact, three
virtual host interfaces have to be created on Linux - tap0, tap1 and tap2 before
the ASAv appliance is started. You do not need to worry about actual commands, as I
will later share a script that take responsibility for changes in your
network configuration.

Below is a list of ASAv network interfaces and their IP addresses assignment. The
interfaces are connected with particular tap interfaces by Qemu itself thus no user
action is required.

ASAV Interfaces IP Address Assignment


GigabitEthernet0/0 (management) - 192.168.1.1/24
GigabitEthernet0/1 (inside) - 192.168.2.1/24
GigabitEthernet0/2 (outside) - 172.17.100.5/16
Linux Tap Interfaces Map Connection
Interface tap0 - 192.168.1.2/24 is bridged with ASA Management interface
Interface tap1 - 192.168.2.2/24 is bridged with ASA inside interface
Interface tap1 - 172.17.100.5/16 is bridged with ASA outside interface
An outside ASAv interface is connected with an interface tap2 and bridged with
a host network interface p3p1. Bridging is done by brctl command that comes with a
bridge-utils package installed on Fedora Linux. Again, a script will take responsibility
for creating a virtual bridge interface and bridging interfaces tap2 and p3p1
together.

In case of my home network, an interface p31p is connected with a straight Ethernet


cable to the LAN interface of my SOHO router with an IP address 172.17.100.1/16. In
fact, the router acts as a default gateway for all network hosts in my home network.
No route to the network 182.168.1.0/24 is needed on that router as a NAT service
is configured on the outside interface of ASAv appliance. NAT translates an IP
addresses from the subnet 192.168.1.0/24 that is configured on the inside ASAv
interface to a dynamic IP address assigned from DHCP server for the outside ASAv
interface. The server is running on the SOHO router and it offers an IP address from
a DHCP pool 172.17.0.0/16.

A start-up script start_asa.txt must be started with the root privileges. You only need
to make changes according to your configuration and assign executable privileges to
the script.
$ chmod +x start_asa.txt
3. ASAv Configuration
Telnet to ASAv Appliance with the command below and configure ASAv as following:

$ telnet localhost 3333


Hostname
ciscoasa> enable
ciscoasa# conf t
ciscoasa(config)# hostname ASAv
Creating Local User
ASAv(config)# username admin password cisco privilege 0
Securing Access to Console
ASAv(config)# aaa authentication serial console LOCAL
Securing Access to Privileged User Mode
ASAv(config)# enable password cisco
Securing SSH Access to VTY
ASAv(config)# aaa authentication ssh console LOCAL
ASAv(config)# ssh 192.168.1.2 255.255.255.255 management
ASAv(config)# ssh version 2
Management Interface
ASAv(config)# interface Management 0/0
ASAv(config-if)# management-only
ASAv(config-if)# nameif management
ASAv(config-if)# ip address 192.168.1.1 255.255.255.0
ASAv(config-if)# no shutdown
ASAv(config-if)# exit
LAN (Inside) Interface
ASAv(config)# interface GigabitEthernet 0/0
ASAv(config-if)# nameif inside
ASAv(config-if)# security-level 100
ASAv(config-if)# ip address 192.168.2.1 255.255.255.0
ASAv(config-if)# no shutdown
ASAv(config-if)# exit
WAN (Outside) Interface
ASAv(config-if)# interface gigabitEthernet 0/1
ASAv(config-if)# nameif outside
ASAv(config-if)# security-level 0
ASAv(config-if)# no shutdown
ASAv(config-if)# exit
Default Route and DNS Server
ASAv(config)# route outside 0.0.0.0 0.0.0.0 172.17.100.1
ASAv(config)# dns domain-lookup outside
ASAv(config)# dns name-server 8.8.8.8
NAT (PAT Overload)
ASAv(config)# object network my_inside_network
ASAv(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASAv(config-network-object)# nat (inside,outside) dynamic interface
ASAv(config-network-object)# exit
Allowing ICMP Inspection
ASAv(config)# policy-map global_policy
ASAv(config-pmap)# class inspection_default
ASAv(config-pmap-c)# inspect icmp

References
https://maroskukan.wordpress.com/2015/01/20/up-and-running-with-asav/
https://community.gns3.com/thread/5359
https://www.youtube.com/watch?v=5WNxPJqQ-yk
https://www.fir3net.com/Firewalls/Cisco/how-to-configure-nat-of-asa-83.html

OR
WEBSITE:
http://brezular.com/2015/01/26/qemu-asav-appliance-as-personal-firewall-on-
linux/

You might also like