Professional Documents
Culture Documents
on Linux
Posted on January 26, 2015 by Radovan BrezulaUpdated on April 27, 2015 9 Comments
The article discuss how to run Cisco Adaptive Security Virtual Appliance (ASAv) on
KVM hypervisor as your personal firewall. Since ASAv version 9.3.2-200, Cisco
supports deploying ASAv using Kernel-based Virtual Machine (KVM). Thanks for the
support of KVM hypervisor, ASAv can be deployed in a very easy manner on Linux
and no mysterious hacks are needed anymore.
Unfortunately until a valid license file is installed, ASAv throughput is limited to 100
Kbps. So far, I have not found a way how to bypass this limitation as Cisco does not
provide any evaluation licence as they offer for their CSR100v IOS-XE router. I also
found out that ASAv keeps rebooting when Qemu is started without enabled KVM
option. It limits deployment of ASAv Qemu images on Linux/FreeBSD, as KVM is
available for these operation systems only. Windows users should download and
install ASAv edition for VMware hypervisor.
Software Requirements
Linux x86_64 with installed Qemu and KVM
Cisco ASAv Virtual Appliance - asav932-200.qcow2 or later (you need a service
contract to be able to download it)
Hardware Requirements
CPU with VT-X or AMD-V hardware virtualization support
2GB RAM dedicated for ASAv virtual machine
1. ASAv Installation
Installation does not requires any special skills and takes only one reboot. Start the
ASAv virtual machine installation with the command.
ciscoasa>enable
ciscoasa# copy disk0:/coredumpinfo/coredump.cfg disk0:/use_ttyS0
Now you can shutdown your ASAv virtual machine and run it with a serial port
redirected to internal Qemu telnet server. Just start your ASAv appliance with an
option -serial telnet:0.0.0.0:3333,server,nowait -display none and issue the telnet
command.
There is a network diagram on the picture that shows connection between network
interfaces of ASAv virtual machine and Linux host interfaces. In fact, three
virtual host interfaces have to be created on Linux - tap0, tap1 and tap2 before
the ASAv appliance is started. You do not need to worry about actual commands, as I
will later share a script that take responsibility for changes in your
network configuration.
Below is a list of ASAv network interfaces and their IP addresses assignment. The
interfaces are connected with particular tap interfaces by Qemu itself thus no user
action is required.
A start-up script start_asa.txt must be started with the root privileges. You only need
to make changes according to your configuration and assign executable privileges to
the script.
$ chmod +x start_asa.txt
3. ASAv Configuration
Telnet to ASAv Appliance with the command below and configure ASAv as following:
References
https://maroskukan.wordpress.com/2015/01/20/up-and-running-with-asav/
https://community.gns3.com/thread/5359
https://www.youtube.com/watch?v=5WNxPJqQ-yk
https://www.fir3net.com/Firewalls/Cisco/how-to-configure-nat-of-asa-83.html
OR
WEBSITE:
http://brezular.com/2015/01/26/qemu-asav-appliance-as-personal-firewall-on-
linux/