Cisco ASA 1000V Cloud Firewall
Getting Started Guide
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: 78-20938-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
© 2012 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER
1
Before You Begin 1-1
Overview of the Solution Components 1-1
Deployment Architecture for the ASA 1000V 1-2
Sharing Policies Using the Cisco VNMC 1-5
Policy Objects for the ASA 1000V 1-8
How Policies Are Applied to the ASA 1000V 1-9
Configuration Model for the ASA 1000V 1-10
Predeployment Task Flow 1-11
Guidelines and Limitations 1-12
Additional References 1-13
Obtaining Documentation and Submitting a Service Request 1-13
CHAPTER
2
Deploying the Cisco ASA 1000V 2-1
Information About the ASA 1000V Deployment 2-1
About the ASA 1000V Management Modes 2-2
Sequence for Configuring the ASA 1000V Using Cisco VNMC 2-5
Sequence for Configuring the ASA 1000V Through ASDM 2-6
Downloading the ASA 1000V OVA File 2-7
Deploying the ASA 1000V Using the VMware vSphere Client 2-8
Powering On the ASA 1000V 2-11
Setting Up ASDM to Be Used by the ASA 1000V 2-12
Configuring SSH Access for the ASA 1000V 2-13
Other Configurations that Might Be Required 2-14
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
iii
Contents
What to Do Next 2-14
CHAPTER
3
Setting Up the ASA 1000V Using VNMC Mode 3-1
Registering the ASA 1000V with the Cisco VNMC 3-1
Adding the ASA 1000V as an Edge Firewall in the Cisco VNMC 3-2
Configuring Security Profiles in VSM 3-4
Launching ASDM from Cisco VNMC to Monitor the ASA 1000V 3-6
CHAPTER
4
Configuring the ASA 1000V Using ASDM 4-1
Launching ASDM 4-1
Running the Startup Wizard in ASDM 4-3
Registering the ASA 1000V Using ASDM 4-4
Creating and Configuring Edge Security Profiles in ASDM 4-7
Creating Security Profiles in VSM in ASDM Mode 4-8
Making Internal Services Accessible from the Internet 4-8
Running the Site-to-Site Wizard to Configure VPN Tunnels 4-10
Other Wizards in ASDM 4-11
Advanced Configuration 4-11
CHAPTER
5
FAQs About the ASA 1000V 5-1
Questions 5-2
CHAPTER
6
Sample Configurations for the Cisco ASA 1000V 6-1
Sample Firewall Configuration 6-1
Sample LAN-to-LAN VPN Tunnel Configuration 6-7
Cisco ASA 1000V Cloud Firewall Getting Started Guide
iv
78-20938-01
CH A P T E R
1
Before You Begin
This chapter includes the following sections:
•
Overview of the Solution Components, page 1-1
•
Deployment Architecture for the ASA 1000V, page 1-2
•
Predeployment Task Flow, page 1-11
•
Guidelines and Limitations, page 1-12
•
Additional References, page 1-13
•
Obtaining Documentation and Submitting a Service Request, page 1-13
Overview of the Solution Components
The Cisco ASA 1000V Cloud Firewall is a virtual appliance that was developed
using the ASA infrastructure to secure the tenant edge in multitenant
environments with Nexus 1000V deployments. It provides edge features and
functionality (including site-to-site VPN, NAT, and DHCP), acts as a default
gateway, and secures the virtual machines (VMs) within the tenant against any
network-based attacks.
The Cisco ASA 1000V is deployed with the following components:
•
Compatible hardware that runs the VMware vSphere Hypervisor software.
•
vCenter VSphere Hypervisor software—The required software for installing
the Cisco Nexus 1000V and the Cisco VNMC appliance in a virtual data
center.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
1-1
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
•
vCenter Server software—The required VM management software that is
supported on the Cisco Nexus 1000V.
•
Cisco Nexus 1000V—The required virtual switch for running VMs such as
the ASA 1000V in a virtual data center.
•
Cisco Virtual Network Management Center (VNMC) appliance—The
required virtual appliance manages virtual security appliances within the
virtualized environment. The Cisco VNMC acts as a single point manager for
both the Cisco ASA 1000V and Cisco VSG.
•
Cisco ASA 1000V—The virtual service node runs as a VM to secure the
tenant edge in the virtualized environment.
•
(Optional) Cisco Virtual Security Gateway (VSG)—A service appliance
required to segment VMs from each other. The Cisco VSG is required to
segment inter-VM traffic within a tenant.
Deployment Architecture for the ASA 1000V
This section includes the following topics:
•
Sharing Policies Using the Cisco VNMC, page 1-5
•
Policy Objects for the ASA 1000V, page 1-8
•
How Policies Are Applied to the ASA 1000V, page 1-9
•
Configuration Model for the ASA 1000V, page 1-10
The ASA 1000V enables a broad set of multitenant workloads that have varied
security profiles to share a common infrastructure in a virtual data center. By
associating one or more VMs in a network to distinct security profiles, the ASA
1000V ensures that access from and to these VMs is controlled and monitored
through established security policies.
Integrated with the Cisco Nexus 1000V series switch and VNMC, the ASA 1000V
allows administrative segregation across security and server teams that provides
collaboration, eliminates administrative errors, and simplifies audits. The
networking team defines port profiles in the Nexus 1000V VSM that are templates
for switch port configuration. These port profiles automatically appear as port
groups to the server team that applies networking configuration for the VMs in
VMware vCenter. The security team defines policies called edge security profiles
in Cisco VNMC or ASDM that are downloaded to the ASA 1000V. The security
Cisco ASA 1000V Cloud Firewall Getting Started Guide
1-2
78-20938-01
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
VMWare vCenter
Cisco Nexus 1000V
Cisco VNMC
Server Admin
Network Admin
Security Admin
334035
team also collaborates with the networking team by providing the edge security
profile names that it has created. The networking team assigns a security profile
to a port profile in VSM. The server team selects these port profiles from the VM
configuration in VMware vCenter.
After the three-way setup is complete for securing a VM, the ASA 1000V applies
the security policies defined by the security profile for traffic originated by the
VM or destined to the VM. If the setup is not complete, traffic from and to the
VMs hits the ASA 1000V (because it is the default gateway), but the traffic is
dropped. Therefore, any VM behind the ASA 1000V must have a security profile
associated with it.
Note
Only VMs behind the ASA 1000V on the inside interface need to have security
profiles applied. The ASA 1000V does not support applying security profiles to
VMs on the outside network.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
1-3
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
Figure 1-1 shows how a port profile is used by the ASA 1000V.
Figure 1-1
Port Profile Usage by ASA 1000V
As shown in Figure 1-1, VMs protected by the ASA 1000V are grouped into port
profiles. Port profiles can have different security policies in the ASA 1000V.
Security policies are created in Cisco VNMC using edge security profiles. These
security profiles are bound to the port profiles in VSM. When the VMs are
created, the port group corresponding to the port profiles applicable to the VMs
are selected in VMware vCenter.
The configuration shown in Figure 1-1 includes a VM on the outside interface of
the ASA 1000V. This VM does not require a security profile applied to it in order
to send and receive traffic through the ASA 1000V. The VM requires the port
profile and port group.
The ASA 1000V is also the default gateway for the VMs on the inside interface.
The ASA 1000V assigns IP addresses to these VMs through DHCP. If IP
addresses are assigned statically for the VMs, they must send packets using the
static IP address before the ASA 1000V can allow the traffic from the outside VM
to reach VMs on the inside interface.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
1-4
78-20938-01
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
Sharing Policies Using the Cisco VNMC
This section includes the following topics:
•
Tenant Management and Multitenancy, page 1-5
•
Resource Objects for the ASA 1000V, page 1-7
Cisco VNMC is a model-driven, multitenant, multi-device manager that allows
sharing of policies between many ASA 1000Vs. Cisco VNMC organizes objects
into five distinct folder or organization levels for tenant management.
Named policy objects can be defined at a higher level folder and referenced by
policies and objects created in lower levels. Name resolution uses a tree model in
which names are resolved starting at the level in which the name is referenced,
moving up the hierarchy towards the root.
Tenant Management and Multitenancy
Cisco VNMC provides the ability to achieve multitenancy. Multitenancy enables
the division of large physical infrastructures into logical entities called
organizations. As a result, you can achieve logical isolation between
organizations without providing a dedicated physical infrastructure for each
organization.
The administrator can assign unique resources to each tenant through the related
organization in the multitenant environment. These resources can include
different policies, pools, device profiles, firewalls, and so on. The administrator
can use locales to assign or restrict user privileges and roles by organization if
access to certain organizations needs to be restricted.
Cisco VNMC provides a strict organizational hierarchy, as shown in Figure 1-2:
1.
Universe
2.
Tenant
3.
Virtual Data Center
4.
Virtual Application
5.
Tier
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
1-5
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
Figure 1-2
Organizational Hierarchy
The root can have multiple tenants. Each tenant can have multiple data centers.
Each data center can have multiple applications, and each application can have
multiple tiers.
The policies and pools created at the root level are system wide and are available
to all organizations in the system. However, any policies and pools created in an
organization are only available to organizations that are below it in the same
hierarchy.
For example, if a system has tenants named Company A and Company B,
Company A cannot use any policies created in the Company B organization.
Company B cannot access any policies created in the Company A organization.
However, both Company A and Company B can use policies and pools in the root
organization.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
1-6
78-20938-01
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
Resource Objects for the ASA 1000V
Cisco VNMC abstracts the devices it manages. It requires the devices to be
provisioned out-of-band. As part of provisioning, devices are configured to point
to Cisco VNMC for policy management. Cisco VNMC discovers all devices and
lists them under the Resources pane. In addition to the ASA 1000V, the Resources
pane includes other resources such as Cisco VSGs, VSMs, and VMs.
In Cisco VNMC, a logical edge firewall object must be created in the Managed
Resources pane. The Edge Firewall object type refers to the ASA 1000V and
represents a logical instance of the ASA 1000V. This object defines the inside and
outside interfaces and allows device profiles and edge device profiles to be
applied to the ASA 1000V. In addition, edge security profiles for the outside
interfaces are applied here.
The logical edge firewall object is created at a specific organization level of the
five-level hierarchy.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
1-7
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
Policy Objects for the ASA 1000V
There are three types of top-level policy objects for the ASA 1000V. These
objects can contain other policies and objects.
•
Device Profiles—Includes policies that are global to the entire virtual
appliance, regardless of the type of appliance. Multiple ASA 1000V instances
can use the same device profile. The same device profile can be shared
between Cisco VSG and the ASA 1000V. This profile type contains policies
such as NTP and system log messages. Device profiles are created under the
Device Configurations pane.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
1-8
78-20938-01
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
•
Note
•
Edge Device Profiles—(Global to the ASA 1000V only). Multiple
ASA1000V instances can use the same edge device profile. This profile type
contains policies that are unique to the ASA 1000V only; for example, the
DHCP server, routing policies that are not applicable to Cisco VSG, or other
devices. This profile is created in the Service Profiles pane.
The Service Profiles pane contains other profile types that are not
applicable to the ASA 1000V. For example, Service Profiles only apply
to Cisco VSG.
Edge Security Profiles—Includes policies that can be applied to port profiles
or VMs. Most of the firewall policies are defined in this type including ACLs,
NAT, and so on. Edge security profiles can also be applied to outside
interfaces of the ASA 1000V. In this case, the policies are applied to traffic
from sources that do not have a security profile attached. Typically, edge
security profiles are used on the outside interface of the ASA 1000V to define
permit ACLs. An edge security profile is created in the Service Profiles pane.
How Policies Are Applied to the ASA 1000V
Edge firewall objects need to be associated to an ASA 1000V instance. After
association, all applicable profile types for the ASA 1000V device type are
pushed to the ASA 1000V instance. All edge profile objects that are created at the
same organization level as the edge firewall object are pushed to the device.
Note
Device profiles and edge device profiles were already identified through the edge
firewall object.
For example, if the edge firewall object is created at root/Cisco/Engineering-DC,
all edge security profiles and policies in root/Cisco/Engineering-DC are pushed
to the ASA 1000V instance. In addition, all edge security profiles and policies
created under any organization level under root/Cisco/Engineering-DC are also
pushed.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
1-9
Chapter 1
Before You Begin
Deployment Architecture for the ASA 1000V
Policies can be organized at various levels for efficient management and sharing.
Associating an edge firewall at a data center level allows a single edge firewall to
protect VMs that belong to different types of applications and tiers.
Configuration Model for the ASA 1000V
The ASA 1000V includes a service interface. The ASA 1000V can receive traffic,
such as DHCP queries and SSH traffic, from the VMs on the service interface
when those VMs are configured with edge security profiles.
Note
When configuring the service interface for the ASA 1000V, you use the ASA
1000V inside interface and assign it an IP address and security level. For
information on configuring an interface, see the Cisco ASA 1000V CLI
Configuration Guide.
Each edge security profile configured for the VMs on the service interface has a
security profile interface (named “interface security-profile”). Security profile
interfaces are dynamic (they do not have an IP address) and identify the service
interface.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
1-10
78-20938-01
Chapter 1
Before You Begin
Predeployment Task Flow
When configuring the ASA 1000V, attach policies such as access lists and
application inspection to the security profile interface and not to the service
interface. On the service interface, you configure only policies that terminate
traffic, such as policies for the DHCP server and SSH traffic.
When a VM sends traffic from the inside interface to the outside interface, the
ASA 1000V applies policies assigned to the security profile interface for that VM
and applies policies assigned to the outside interface. When the ASA 1000V
receives outside traffic for a VM, the ASA 1000V applies policies configured on
the VMs security profile interface.
The outside, management, and failover interfaces on the ASA 1000V function the
same way that they do for other ASA releases.
Predeployment Task Flow
Before deploying the ASA 1000V, you must perform the following tasks in this
order:
1.
Install an x86 Intel server with 64-bit processor, listed in the VMware
Hardware Compatibility List that runs VMware vSphere Hypervisor software
4.1 or 5.0 with a minimum of two processors of at least 1.5 GHz each, 8 GB
of physical RAM, 30 GB of disk space, with an Enterprise Plus license.
2.
Install VMware vCenter 4.1 or 5.0 to manage the VMware vSphere
Hypervisor server, with an Enterprise Plus license.
See the VMware documentation:
VMware Documentation
3.
Install the VMware vSphere Client and connect it to the appropriate VMware
vCenter for your Cisco Nexus 1000V deployment.
See the VMware documentation:
VMware Documentation/
4.
Install the Cisco Nexus 1000V switch, Release 4.2(1)SV1(5.2), Virtual
Supervisor Module (VSM) and Virtual Ethernet Module (VEM).
The following link provides an overview of Nexus 1000V architecture:
Nexus 1000V Architecture
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
1-11
Chapter 1
Before You Begin
Guidelines and Limitations
Use the Nexus 1000V Installation Management Center to install Nexus
1000V on your server(s). The following links describe the steps:
Nexus 1000V Installation and Upgrade Guide
Nexus 1000V Installation and Upgrade Video
5.
Create the necessary port profiles for your VMs, VNMC, ASA 1000V, and
VSG by following the steps listed in the Cisco Nexus 1000V Port Profile
Configuration Guide:
Cisco Nexus 1000V Port Profile Configuration Guide
The ASA 1000V requires the following four port profiles because it has four
interfaces:
– A port profile for the inside interface of ASA 1000V that belongs to the
inside VLAN
– A port profile for the outside interface of ASA 1000V that belongs to the
outside VLAN
– A port profile for management interface
– A port profile for the failover interface if failover is used
Each port profile must be on a different Layer 2 network.
6.
Install the Cisco Virtual Network Management Center (VNMC) 2.0:
Cisco VNMC Quick Start Guide
7.
Register the VSM with the Cisco VNMC by downloading the Nexus 1000V
Policy Agent image from the Cisco software download site and completing
the steps in the “Registering a Cisco Nexus 1000V VSM “section of the
following guide:
Cisco VNMC Quick Start Guide
Guidelines and Limitations
Deploying the components required to support the ASA 1000V
(VNMC,VSM,VSG) does not support localization (installing the components in
non-English mode). Consequently, the VMware vCenter and the LDAP servers in
your environment must be installed in an ASCII-compatible mode.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
1-12
78-20938-01
Chapter 1
Before You Begin
Additional References
You must set your keyboard to United States English before installing the ASA
1000V and using the VM console.
Additional References
For more information about the individual components that comprise the ASA
1000V, see the following documentation:
•
VMware
VMware Documentation
•
Cisco Nexus 1000V
Cisco Nexus 1000V Documentation
•
Cisco Virtual Network Management Center (VNMC)
Cisco VNMC Documentation
•
ASA 1000V
ASA 1000V Documentation
•
ASDM
ASDM Documentation
•
(Optional) Cisco Virtual Security Gateway (VSG), Version 1.4
VSG Documentation
For information about troubleshooting your ASA 1000V deployment, see the
Cisco ASA 1000V Troubleshooting Guide at ASA 1000V Documentation.
Obtaining Documentation and Submitting a Service
Request
For information on obtaining documentation, submitting a service request, and
gathering additional information, see the monthly What’s New in Cisco Product
Documentation, which also lists all new and revised Cisco technical
documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
1-13
Chapter 1
Before You Begin
Obtaining Documentation and Submitting a Service Request
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple
Syndication (RSS) feed and set content to be delivered directly to your desktop using
a reader application. The RSS feeds are a free service and Cisco currently supports
RSS Version 2.0.
For information about the ASA 1000V features, see the following ASA 1000V
documentation at:
ASA 1000V Documentation
Cisco ASA 1000V Cloud Firewall Getting Started Guide
1-14
78-20938-01
CH AP TE R
2
Deploying the Cisco ASA 1000V
This chapter includes the following sections:
•
Information About the ASA 1000V Deployment, page 2-1
•
Downloading the ASA 1000V OVA File, page 2-7
•
Deploying the ASA 1000V Using the VMware vSphere Client, page 2-8
•
Powering On the ASA 1000V, page 2-11
•
Setting Up ASDM to Be Used by the ASA 1000V, page 2-12
•
Configuring SSH Access for the ASA 1000V, page 2-13
•
Other Configurations that Might Be Required, page 2-14
•
What to Do Next, page 2-14
Information About the ASA 1000V Deployment
This section includes the following topics:
•
About the ASA 1000V Management Modes, page 2-2
•
Sequence for Configuring the ASA 1000V Using Cisco VNMC, page 2-5
•
Sequence for Configuring the ASA 1000V Through ASDM, page 2-6
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
2-1
Chapter 2
Deploying the Cisco ASA 1000V
Information About the ASA 1000V Deployment
About the ASA 1000V Management Modes
When you deploy the ASA 1000V, you must choose the management mode: either
the Cisco VNMC or ASDM management mode.
Note
Each management mode is mutually exclusive; you cannot use the Cisco VNMC
and ASDM management mode on the same deployment.
After deploying the ASA 1000V, you cannot change the management mode
without redeploying the ASA 1000V with the VMware vSphere Client.
When the ASA 1000V deployment consists of a failover pair, both the primary
and secondary ASA 1000V must use the same management mode.
Determining Which Management Mode to Configure for the ASA 1000V
Configure the ASA 1000V to use VNMC management mode when you plan to do
the following tasks with the ASA 1000V:
•
Use a single graphical user interface to manage Cisco VSG, ASA 1000V, and
other cloud products from Cisco.
•
Manage many ASA 1000Vs from a single management station.
•
Provide tenant access to policies through RBAC in a multitenant data center.
•
Share policies between devices (rapid provisioning of policies).
•
Use model-based policies and the XML API to configure the ASA 1000V.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
2-2
78-20938-01
Chapter 2
Deploying the Cisco ASA 1000V
Information About the ASA 1000V Deployment
Table 2-1 provides a detailed list of the benefits of using Cisco VNMC as your
management mode for the ASA 1000V.
Table 2-1
Benefits of Using VNMC Management Mode
Feature
Description
Benefit
Multiple Device
Management
Cisco VNMC provides central
management of Cisco ASA 1000V
and Cisco VSG for Cisco Nexus
1000V Series Switches.
Simplifies provisioning and
troubleshooting in a scaled-out
data center.
Edge Security Profiles
An edge security profile represents the Simplifies provisioning, reduces
Cisco ASA 1000V security policy
administrative errors during
configuration in a profile.
security policy changes, reduces
audit complexities, and enables a
highly scaled-out data center
environment.
Dynamic Security Policy
and Zone Provisioning
Cisco VNMC interacts with the Cisco
Nexus 1000V Series VSM to bind the
edge security profile to the
corresponding Cisco Nexus 1000V
series port profile. When virtual
machines are dynamically instantiated
by server administrators and
appropriate port profiles are applied,
their association with trust zones is
also established.
Helps enable edge security
profiles to stay aligned with
rapid changes in the virtual data
center.
Multitenant (Scale-out)
Management
Cisco VNMC is designed to manage
security policies for Cisco ASA
1000V and Cisco VSG in a dense,
multitenant environment so that
administrators can quickly add and
delete tenants and update
tenant-specific configurations and
security policies.
Simplifies management of a
highly dynamic virtual
environment, reduces
administrative errors, helps
ensure the segregation of duties
in administrative teams, and
simplifies audit procedures.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
2-3
Chapter 2
Deploying the Cisco ASA 1000V
Information About the ASA 1000V Deployment
Table 2-1
Benefits of Using VNMC Management Mode (continued)
Feature
Description
Role-based Access Control RBAC simplifies operation tasks
(RBAC)
across different types of
administrators, while allowing
subject-matter experts to continue
with their normal procedures.
XML-based API
The Cisco VNMC XML API allows
external system management and
orchestration tools to
programmatically provision the ASA
1000V and Cisco VSG.
Context-aware Security
Policies
Benefit
•
Reduces administrative
errors.
•
Enables detailed control of
user privileges.
•
Simplifies auditing
requirements.
•
Allows use of best-in-class
management software.
•
Offers transparent and
scalable operation
management.
Cisco VNMC obtains virtual machine Allows security administrators to
contexts from VMware vCenter.
institute highly specific policy
controls across the entire virtual
infrastructure based on VM
attributes for Cisco VSG.
If you selected the Cisco VNMC as the management mode (this is the default
setting during deployment), see the Cisco Virtual Network Management Center
2.0 User Guide for additional information after completing the procedures in this
guide.
Configure the ASA 1000V to use the ASDM management mode when you plan to
do the following tasks with the ASA 1000V:
•
Manage one device at a time using the familiar ASA configuration.
•
Configure policies through the ASA 1000V CLI.
If you selected the ASDM as the management mode for the ASA 1000V, use the
Cisco ASA 1000V ASDM Configuration Guide or the Cisco ASA 1000V CLI
Configuration Guide for the procedures to configure security policies. Selecting
the ASDM mode also allows access to the ASA 1000V CLI.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
2-4
78-20938-01
Chapter 2
Deploying the Cisco ASA 1000V
Information About the ASA 1000V Deployment
Sequence for Configuring the ASA 1000V Using Cisco VNMC
Figure 2-1 describes the configuration steps for the ASA 1000V when using the
VNMC management mode.
Figure 2-1
Configuring the ASA 1000V by Using Cisco VNMC
For information about completing task 1, see the “Deploying the ASA 1000V
Using the VMware vSphere Client” section on page 2-8 and “Registering the
ASA 1000V with the Cisco VNMC” section on page 3-1.
For information about completing tasks 2 through 3 in the Cisco VNMC, see the
Cisco Virtual Network Management Center 2.0 Quick Start Guide or the Cisco
Virtual Network Management Center 2.0 GUI Configuration Guide.
For information about completing tasks 4 through 5 in the Cisco VNMC, see the
Cisco Virtual Network Management Center 2.0 GUI Configuration Guide.
For information about tasks 6 through 9, see the “Adding the ASA 1000V as an
Edge Firewall in the Cisco VNMC” section on page 3-2.
For information about task 10, see the “Configuring Security Profiles in VSM”
section on page 3-4.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
2-5
Chapter 2
Deploying the Cisco ASA 1000V
Information About the ASA 1000V Deployment
Sequence for Configuring the ASA 1000V Through ASDM
Figure 2-2 describes the configuration steps for the ASA 1000V when using the
ASDM management mode.
Figure 2-2
Configuring the ASA 1000V by Using ASDM
For information about task 1, see the“Deploying the ASA 1000V Using the
VMware vSphere Client” section on page 2-8. and “Registering the ASA 1000V
Using ASDM” section on page 4-4.
For information about adding a user account in VNMC in task 2, see the following
guide:
Cisco VNMC GUI Configuration Guide
Note
You can use the administrator account that you created while installing VNMC.
For information about task 3, see the “Registering the ASA 1000V Using ASDM”
section on page 4-4.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
2-6
78-20938-01
Chapter 2
Deploying the Cisco ASA 1000V
Downloading the ASA 1000V OVA File
For information about task 4, see the “Creating and Configuring Edge Security
Profiles in ASDM” section on page 4-7.
For information about task 5, see the “Configuring Security Profiles in VSM”
section on page 3-4.
Downloading the ASA 1000V OVA File
You deploy the ASA 1000V by downloading and installing the open virtualization
format archive (OVA) file provided by Cisco. The OVA file provides for the
optimal VM resources (vCPU, memory and MHz) for the ASA 1000V. The OVA
file contains the ASA 1000V image for installation.
Detailed Steps
Step 1
Go to the following URL:
Download Software
The Download > Select a Product page appears.
Step 2
Click Cisco ASA 1000V Cloud Firewall. The Download Software page appears
for the ASA 1000V.
Step 3
Click Download.
Step 4
If prompted, log into your Cisco.com account with your CCO username and
password.
Step 5
Follow the prompts to download the OVA file for the ASA 1000V to your local
drive.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
2-7
Chapter 2
Deploying the Cisco ASA 1000V
Deploying the ASA 1000V Using the VMware vSphere Client
Deploying the ASA 1000V Using the VMware
vSphere Client
To deploy the ASA 1000V, use the VMware vSphere Client and a template file in
the open virtualization format (OVF). You use the Deploy OVF Template wizard
in the vSphere Client to deploy the Cisco package for the ASA 1000V. Running
wizard parses the ASA 1000V OVF file, creates the virtual machine on which you
will run the ASA 1000V, and installs the package.
Most of the wizard steps are standard for VMware, with the exception of the
configuration settings that are applied to the ASA 1000V before it boots up.
Note
During OVF template file deployment, 2 GB of storage is allotted to maintain
system, configuration, and image files on the ASA 1000V. These files appear in
disk0: on the ASA 1000V.
For additional information about the Deploy OVF Template, see the VMware
vSphere Client help.
Note
When you deploy the ASA 1000V using ASDM Management mode, all clients
from the locally connected subnet of the management interface are allowed by
default.
Prerequisites
Collect the following information for the deployment. The ASA 1000V
deployment requires that you enter this information at specific deployment steps.
•
The username and password login for the Cisco VNMC (required when
configuring ASA 1000V in ASDM mode)
•
The shared secret configured on Cisco VNMC for the ASA 1000V
deployment
•
The ASA 1000V management IP, management subnet mask, and management
gateway IP address
•
The Management Gateway IP address when Cisco VNMC is not directly
connected to the management network of the ASA 1000V
When Cisco VNMC is directly connected to the network, skip this entry.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
2-8
78-20938-01
Chapter 2
Deploying the Cisco ASA 1000V
Deploying the ASA 1000V Using the VMware vSphere Client
Detailed Steps
Step 1
Launch the VMware vSphere Client and choose File > Deploy OVF Template.
The Deploy OVF Template wizard appears.
Step 2
In the Deploy from a file or URL field, browse to the ASA 1000V OVF package
that you downloaded, then click Next.
Step 3
In the OVF Template Details page, review the information for the ASA 1000V
package, then click Next.
Step 4
Review and accept the End User License Agreement, then click Next.
Step 5
In the Name field, enter a name for the ASA 1000V virtual machine (VM)
instance, choose the inventory location for the VM, then click Next.
Step 6
Choose one of the following deployment configurations for the ASA 1000V, then
click Next:
•
Deploy ASA as Standalone—Failover is not configured for the ASA 1000V.
•
Deploy ASA as Primary—The ASA 1000V is configured as the primary unit
for failover.
•
Deploy ASA as Secondary—The ASA 1000V is configured as the secondary
unit for failover.
Choosing the type of deployment configures the ASA 1000V as a standalone
deployment or for failover as part of a failover pair.
Step 7
Choose the host or cluster on which you want to run the ASA 1000V, then click
Next.
Step 8
Choose the datastore on the host or cluster on which you want to maintain the
ASA 1000V files, then click Next. Each hard disk on the physical device shows
up as a datastore.
Step 9
Choose the disk storage format, then click Next.
Step 10
Choose the port profiles that you want to use for the ASA 1000V interfaces by
mapping the networks used in the OVF template to networks in your inventory.
You created these port profiles when installing the Nexus 1000V.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
2-9
Chapter 2
Deploying the Cisco ASA 1000V
Deploying the ASA 1000V Using the VMware vSphere Client
Note
If you did not create the port profiles, pause the ASA 1000V deployment,
return to the VSM console, create the required port profiles for the four
ASA 1000V interfaces: inside, outside, management, and high
availability (failover). For detailed information, see the “Predeployment
Task Flow” section on page 1-11 in Step 5. After the port profiles have
been created, return to the ASA 1000V deployment. Then click Next.
Note
After deploying the ASA 1000V, network adapters are created in the
following order:
Network
Network
Network
Network
Adapter1—Management 0/0
Adapter2—GigabitEthernet 0/0 (used as the inside interface)
Adapter3—GigabitEthernet 0/1 (used as the outside interface)
Adapter4—GigabitEthernet 0/2 (used as the failover interface)
The port profiles are obtained through the VMware vCenter Server connection to
the Cisco Nexus 1000V Virtual Supervisor Module (VSM).
Step 11
Set the following configuration properties that are applied to the ASA 1000V
before it boots up, then click Next:
•
Management Interface DHCP mode
•
Management IP Address
•
Management IP Subnet Mask
•
Management IP Standby Address
Note
•
When configuring these management address properties, choose whether
to configure Interface DHCP mode, or IP Address, IP Subnet Mask, or IP
Standby Address.
Choose the device manager.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
2-10
78-20938-01
Chapter 2
Deploying the Cisco ASA 1000V
Powering On the ASA 1000V
Note
•
Note
Step 12
The management mode cannot be changed later without deleting the
entire configuration and rerunning the Deploy OVA Template wizard.
When deploying the ASA 1000V in failover configuration, both the
primary and secondary units must be configured using the same
management mode.
Cisco VNMC IP Address
If you are configuring the ASA 1000V for a failover deployment, you
must also configure failover specific information, such as the failover IP
address, standby IP address, and the subnet mask information. For a
standalone deployment, leave these parameters blank.
Review the summary of the ASA 1000V configuration, then click Finish.
The ASA 1000V VM instance appears under the specified data center.
After deploying the ASA 1000V using an OVF file, you can still run the ASA
1000V setup command at the CLI to complete configuration options you might
have skipped in this procedure. See the Command Reference for more
information.
Completing this procedure does not result in a functionally deployed ASA 1000V
until you configure the device enable password, the Cisco VNMC shared secret,
and the Cisco VNMC user account (for ASDM mode only).
Powering On the ASA 1000V
Detailed Steps
Step 1
From the VMware vSphere Client, right-click the ASA 1000V instance that you
have deployed in the Hosts and Clusters view.
Step 2
Choose Power > Power On.
Step 3
Navigate to the ASA 1000V Console tab in the right pane.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
2-11
Chapter 2
Deploying the Cisco ASA 1000V
Setting Up ASDM to Be Used by the ASA 1000V
The ASA 1000V bootstraps platform information from the OVF file when first
powered on. The ASA 1000V reboots automatically after this bootstrap and
initializes for use. The initial boot reads parameters provided through the OVF file
and adds them to the ASA 1000V system configuration. The OVF parameters are
not read afterwards. Subsequent reboots will behave normally.
Setting Up ASDM to Be Used by the ASA 1000V
You can set up ASDM to be used by the ASA 1000V when it is configured for
either VNMC management mode or ASDM management mode. When the ASA
1000V is configured to use VNMC management mode, you can still use ASDM
to monitor the status of the ASA 1000V, but you cannot use it to manage
configurations.
Detailed Steps
Step 1
Launch the ASA 1000V console from the VMware vSphere Client.
Step 2
Add a route on the management interface to the ASDM client subnet by issuing
the following command:
ASA1000V(config)# route interface ip subnet next hop ip
Where interface is the management interface to the ASDM client subnet, ip is the
IP address and subnet of the host that accesses ASDM, subnet is the ASDM client
subnet, and next hop ip is the IP address of the gateway.
Note
Step 3
Perform this step only if the next hop gateway IP address was not
specified when deploying the ASA 1000V.
Allow HTTP access via the management interface for the ASDM client subnet by
entering the following command:
ASA1000V(config)# http ip subnet interface
Where ip is the IP address of the host that accesses ASDM, subnet provides the
subnet mask of a host that can access the HTTP server. and interface is the ASDM
client interface.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
2-12
78-20938-01
Chapter 2
Deploying the Cisco ASA 1000V
Configuring SSH Access for the ASA 1000V
Note
Perform this step only if the ASDM client IP address was not specified
when deploying the ASA 1000V.
Configuring SSH Access for the ASA 1000V
Configure SSH access with LOCAL authentication so that you can access the
ASA 1000V.
Detailed Steps
Step 1
Launch the ASA 1000V console from the VMware vSphere Client.
Step 2
Create a user name by entering the following command:
username name password password privilege priv_level
For example, enter the following command:
username admin password 12345678 privilege 15
Step 3
Enable LOCAL SSH authentication by entering the aaa authentication console
command:
aaa authentication ssh console LOCAL
Step 4
Enable SSH by entering the following command:
ssh ip_address mask management
For example, enter the following command:
ssh 1.1.1.1 255.255.255.255 management
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
2-13
Chapter 2
Deploying the Cisco ASA 1000V
Other Configurations that Might Be Required
Note
When you deploy the ASA 1000V, the deployment process automatically
generates RSA key pairs for identity certificates; however, you can remove the
default key pairs by using the crypto key zeroize rsa command and generate new
key pairs by using crypto key generate rsa command.
Other Configurations that Might Be Required
Depending on your environment, you might be required to perform these
additional configuration tasks:
•
Configure routes through the management interface by using the route
command. Routes through the inside and outside interfaces are configured by
using Cisco VNMC. You must name the management0/0 interface
management (case sensitive).
•
Enable failover for the ASA 1000V. See the Cisco ASA 1000V CLI
Configuration Guide for information.
What to Do Next
If you deployed the ASA 1000V to use the VNMC management mode, see the
Chapter 3, “Setting Up the ASA 1000V Using VNMC Mode.”
If you deployed the ASA 1000V to use the ASDM management mode, see
Chapter 4, “Configuring the ASA 1000V Using ASDM.”
For information about troubleshooting your ASA 1000V deployment, see the
Cisco ASA 1000V Troubleshooting Guide at ASA 1000V Documentation.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
2-14
78-20938-01
CH A P T E R
3
Setting Up the ASA 1000V Using VNMC
Mode
You must configure the ASA 1000V with Cisco VNMC information so that the
ASA 1000V can connect to the Cisco VNMC. You must perform this task for both
Cisco VNMC and ASDM management modes.
This section includes the following topics:
•
Registering the ASA 1000V with the Cisco VNMC, page 3-1
•
Adding the ASA 1000V as an Edge Firewall in the Cisco VNMC, page 3-2
•
Configuring Security Profiles in VSM, page 3-4
•
Launching ASDM from Cisco VNMC to Monitor the ASA 1000V, page 3-6
Registering the ASA 1000V with the Cisco VNMC
Prerequisites
The registration address provided for the Cisco VNMC must be reachable via the
management0/0 interface. Additionally, the ASA 1000V must be able to connect
to the Cisco VNMC via HTTPS.
You must synchronize the clocks on the ASA 1000V and the Cisco VNMC. You
can manually synchronize the clock on the ASA 1000V by using the clock set
command. When ASA 1000V is powered on for the first time, it gets its clock
settings from the ESX/ESXi host. You can set the clock on the ESX/ESXi hosts
to the correct value before starting ASA 1000V and Cisco VNMC.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
3-1
Chapter 3
Setting Up the ASA 1000V Using VNMC Mode
Adding the ASA 1000V as an Edge Firewall in the Cisco VNMC
Detailed Steps
Step 1
From the Hosts and Clusters view, choose the ASA 1000V instance that you
deployed, and click the Console tab.
Step 2
Enter the following Cisco VNMC configuration on the console:
ASA1000V(config)# vnmc policy-agent
ASA1000V(config-vnmc-policy-agent)# registration host ip_address
Where ip_address is the IP address or hostname of the host on which the Cisco
VNMC is running. The IP address may have already been provided through OVF
deployment.
ASA1000V(config-vnmc-policy-agent)# shared-secret key
Where key is the shared secret for authentication of the ASA 1000V connection
to the Cisco VNMC.
Note
Step 3
The IP address and shared secret you specify must match what was
configured in Cisco VNMC.
Save the configuration to startup by entering the write mem command.
Adding the ASA 1000V as an Edge Firewall in the
Cisco VNMC
Perform this task only when configuring ASA 1000V for the VNMC management
mode.
From the VMware vSphere Client, obtain the IP address that you entered for the
host running the ASA 1000V VM. You set this IP address when you configured
the ASA 1000V management IP address in the Deploy OVF Template wizard. See
the “Deploying the ASA 1000V Using the VMware vSphere Client” section on
page 2-8.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
3-2
78-20938-01
Chapter 3
Setting Up the ASA 1000V Using VNMC Mode
Adding the ASA 1000V as an Edge Firewall in the Cisco VNMC
Note
In the Cisco VNMC, you must have already created the tenant on which you want
to associate the ASA1000V. See the Cisco VNMC documentation for instructions.
Detailed Steps
Step 1
Log into the Cisco VNMC.
Step 2
Choose Resource Management > Managed Resources > Firewalls > root >
tenant > Edge Firewalls; where tenant is the logical entity under which you want
to associate the ASA 1000V as an edge firewall.
In the Cisco VNMC, multitenancy enables the division of large physical
infrastructures into logical entities. You can assign unique resources to each
tenant through the related organization in the multitenant environment. See the
Cisco VNMC documentation for tenant management information.
Note
Step 3
To perform this step, you must have at least one tenant defined in the
Cisco VNMC.
In the Edge Firewalls pane, click Add Edge Firewall.
The Add Edge Firewall dialog box appears.
Step 4
Name the logical edge firewall.
Step 5
Under Interfaces, click Add Data Interface to add the inside and outside data
interfaces for the logical edge firewall. For the outside interface, enable and select
an edge profile that applies to all traffic coming in and going out of the outside
interface. For the inside interface, there is no need for an edge profile. See the
Cisco VNMC documentation for data interface information.
Step 6
Click OK to close the Add Data Interfaces dialog box and save the interface.
The ASA 1000V edge firewall instance appears in the right pane under the ASA
1000V tenant.
Step 7
Enable and select a device profile if required in the Firewall Settings pane.
Step 8
Enable and select an edge device profile, if required, in the Firewall Settings pane.
Step 9
In the left pane, select the logical edge firewall you have added, and click Assign
ASA 1000V in the right pane.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
3-3
Chapter 3
Setting Up the ASA 1000V Using VNMC Mode
Configuring Security Profiles in VSM
The Assign ASA 1000V dialog box appears.
Step 10
Choose the Virtual-ASA Management IP address from the drop-down list, then
click OK.
The IP address appears in the drop-down list because you entered the ASA 1000V
vnmc policy-agent command in the “Registering the ASA 1000V with the Cisco
VNMC” section on page 3-1. You must set the virtual ASA management IP
address to specify under which tenant to deploy the ASA 1000V.
Step 11
(Recommended) Verify that the ASA 1000V is configured to communicate with
the Cisco VNMC by selecting the logical edge firewall instance in the left pane,
then from the General tab, check these fields for the following values:
•
Config State: applied
•
Association Status: associated
•
Reachable: yes
Verify that the Operational State is OK by clicking the Task link in the right-hand
side under ASA 1000V Details, then click the General tab.
Configuring Security Profiles in VSM
For each port profile in the VSM, you configure a vservice that determines which
ASA 1000V the Cisco Nexus 1000V switch uses for that port profile and which
edge security profile to apply to all the VMs that belong to the port profile. The
Cisco VNMC generates a unique security profile ID (SPID) for each edge security
profile. The VEM determines which edge security profile to apply for a given
packet based on the port profile configuration.
The vservice configured for a port profile controls which SPID to use and to
which ASA 1000V to forward packets. The ASA 1000V uses the SPID in the
packet to know which policies to apply to the packet.
Detailed Steps
Step 1
Log into the VMware vSphere Client.
Step 2
Choose the VSM from the Hosts and Clusters view, then click the Console tab.
The VSM is the control software for the Cisco Nexus 1000V.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
3-4
78-20938-01
Chapter 3
Setting Up the ASA 1000V Using VNMC Mode
Configuring Security Profiles in VSM
The VSM is also deployed as a VM.
Step 3
Match the IP address of the inside interface for the ASA 1000V with the IP
address configured on the VSM for the vservice of the port profiles. Match these
IP addresses by entering the following commands in configuration mode:
switch(config)# vservice node vservice_name type asa
Where vservice_name is the name of the ASA 1000V.
switch(config)# ip address inside_interface_ip_address
Where inside_interface_ip_address is the inside IP address of the ASA 1000V.
These IP addresses must match so that packets are correctly forwarded to the ASA
1000V by the Cisco Nexus 1000V.
Step 4
Set up the VLAN on which the ASA 1000V’s inside interface is connected by
entering the following command:
switch(config)# adjacency l2 vlan vlan_number
Where vlan_number is the VLAN of the ASA 1000V inside interface.
Because the ASA 1000V is the default gateway for the inside VMs, it is connected
to the same VLAN as the VMs.
Note
Step 5
For VXLAN, provide VXLAN information instead of VLAN
information. See the following guide:
Cisco Nexus 1000V VXLAN Configuration Guide
Create a port profile for the VMs and attach the vservice to the port profile by
entering the following commands:
switch(config)# port-profile type vethernet port_profile_name
switch(config-port-prof)# vservice node vservice_name profile edge_profile_name
switch(config-port-prof)# org org_path
Where edge_profile_name is the name of the edge security profile created in the
Cisco VNMC and org_path is the organization hierarchy in the Cisco VNMC in
which ASA 1000V is created; for example, root/tenant1/datacenter1.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
3-5
Chapter 3
Setting Up the ASA 1000V Using VNMC Mode
Launching ASDM from Cisco VNMC to Monitor the ASA 1000V
Note
When installing the Nexus 1000V, you created port profiles for the four
ASA 1000V interfaces: inside, outside, management, and high
availability (failover). For detailed information, see the “Predeployment
Task Flow” section on page 1-11 in Step 5.
For more information about configuring port profiles, see the Cisco Nexus 1000V
documentation:
Cisco Nexus 1000V Port Profiles Configuration Guide
For more information about the organization in the Cisco VNMC, see the Cisco
VNMC documentation:
•
Cisco VNMC CLI Configuration Guide
•
Cisco VNMC GUI Configuration Guide
Launching ASDM from Cisco VNMC to Monitor the
ASA 1000V
VNMC 2.0 enables you to launch ASDM as a Web Start application on your
desktop.
Note
Complete this task only when you have configured the ASA 1000V to use the
VNMC management mode. When you launch ASDM from Cisco VNMC, you can
only use ASDM to monitor the ASA 1000V. You cannot use ASDM launched
from Cisco VNMC to configure policies. Only monitoring is supported in VNMC
management mode.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
3-6
78-20938-01
Chapter 3
Setting Up the ASA 1000V Using VNMC Mode
Launching ASDM from Cisco VNMC to Monitor the ASA 1000V
Prerequisites
Before completing this task, you must have configured VNMC management mode
for ASA 1000V and enabled ASDM to be launched from VNMC.
Note
If you configured the ASA 1000V to run in VNMC management mode, you can
launch ASDM from VNMC for monitoring only.
See the “Information About the ASA 1000V Deployment” section on page 2-1.
For more information, see the “Setting Up ASDM to Be Used by the ASA 1000V”
section on page 2-12.
Detailed Steps
Step 1
Log into the VNMC.
Step 2
Choose Resource Management > Resources > Firewalls > All ASA 1000Vs >
virtual-asa where virtual-asa is the edge firewall for which you want to launch
ASDM.
Step 3
Click Launch ASDM in the upper-right corner of the screen.
Step 4
In the ASDM Launch screen, click Run ASDM.
ASDM opens in a new browser window on your desktop.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
3-7
Chapter 3
Setting Up the ASA 1000V Using VNMC Mode
Launching ASDM from Cisco VNMC to Monitor the ASA 1000V
Cisco ASA 1000V Cloud Firewall Getting Started Guide
3-8
78-20938-01
CH A P T E R
4
Configuring the ASA 1000V Using
ASDM
ASDM is a graphical user interface that allows you to manage the ASA 1000V
from any location through a web browser. With ASDM, you can use wizards to
configure basic and advanced features.
This chapter includes the following sections:
•
Launching ASDM, page 4-1
•
Running the Startup Wizard in ASDM, page 4-3
•
Registering the ASA 1000V Using ASDM, page 4-4
•
Creating and Configuring Edge Security Profiles in ASDM, page 4-7
•
Creating Security Profiles in VSM in ASDM Mode, page 4-8
•
Making Internal Services Accessible from the Internet, page 4-8
•
Running the Site-to-Site Wizard to Configure VPN Tunnels, page 4-10
•
Other Wizards in ASDM, page 4-11
•
Advanced Configuration, page 4-11
Launching ASDM
You can launch ASDM for the ASA 1000V after completing the tasks in “Setting
Up ASDM to Be Used by the ASA 1000V” section on page 2-12.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
4-1
Chapter 4
Configuring the ASA 1000V Using ASDM
Launching ASDM
See the Cisco ASA 1000V ASDM Release Notes for the requirements to run
ASDM.
Detailed Steps
Step 1
In the Address field, enter the following URL:
https://ip_address_of_management_interface/admin
The Cisco ASDM web page appears.
Step 2
Click Run Startup Wizard.
Step 3
Accept any certificates according to the dialog boxes that appear.
The Cisco ASDM-IDM Launcher appears.
Step 4
Leave the username and password fields empty, and click OK.
The main ASDM window appears and the Startup Wizard opens.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
4-2
78-20938-01
Chapter 4
Configuring the ASA 1000V Using ASDM
Running the Startup Wizard in ASDM
Running the Startup Wizard in ASDM
Run the Startup Wizard to modify the existing configuration so that you can
customize the security policy to suit your deployment.
Detailed Steps
Step 1
In the main ASDM window, choose Wizards > Startup Wizard.
Step 2
Follow the instructions in the Startup Wizard to configure your ASA 1000V.
Step 3
While running the wizard, you can accept the default settings or change them as
required. (For information about any wizard field, click Help.)
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
4-3
Chapter 4
Configuring the ASA 1000V Using ASDM
Registering the ASA 1000V Using ASDM
Registering the ASA 1000V Using ASDM
When ASDM is used to manage policies for the ASA 1000V, the Cisco VNMC
appliance must be installed because it coordinates the creation and use of security
profiles between Cisco Nexus 1000V and the ASA 1000V. For this reason, the
ASA 1000V should be configured with a user account that has privileges to create
and delete security profiles in Cisco VNMC.
See the Cisco VNMC documentation for information about creating user
accounts.
Detailed Steps
Step 1
Choose Configuration > Device Setup > Interfaces. The Interfaces panel
appears.
Step 2
If necessary, expand the VNMC parameters section by clicking the Show VNMC
Parameters section bar. The VNMC Access Parameters section appears.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
4-4
78-20938-01
Chapter 4
Configuring the ASA 1000V Using ASDM
Registering the ASA 1000V Using ASDM
Step 3
In the Host Address field, enter the IP address or hostname of the host on which
the Cisco VNMC is running. The IP address might have been provided already
through OVF deployment.
Step 4
In the Username and Password fields, enter the username and password that are
the login credentials for the Cisco VNMC. The credentials must allow creation
and deletion of all objects in Cisco VNMC.
Step 5
Under Shared Secret, enter and verify the shared secret for encryption of the ASA
1000V connection to the Cisco VNMC. The shared secret that you specify must
match what was configured during Cisco VNMC OVF deployment.
Step 6
Under Organizational Path, enter an Organization Path for this instance of the
ASA 1000V.
As shown above, the ASA 1000V is configured with root/Fanta-ASDM. The ASA
1000V is attached as an edge firewall for the tenant called Fanta-ASDM under
root in Cisco VNMC. (You can also create nested paths, such as
root/tenant1/datacenter1/application1/tier1/ASA1.)
Each ASA 1000V instance must belong to a different organization hierarchy in
Cisco VNMC so that profiles created by one ASA 1000V do not collide with those
created by another ASA 1000V. The organization hierarchy can be thought of as
an absolute path name of a file in a file system starting at root.
Each ASA 1000V (including those ASA 1000Vs managed through Cisco VNMC)
must be configured using a unique path name that does not collide with any other
ASA 1000V, including those that are managed through VNMC.
Note
Step 7
Policies created in Cisco VNMC at the same level do not work on an ASA
1000V managed through ASDM.
Under Security Profiles, Click Add.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
4-5
Chapter 4
Configuring the ASA 1000V Using ASDM
Registering the ASA 1000V Using ASDM
The Add Security Profile dialog box appears.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
4-6
78-20938-01
Chapter 4
Configuring the ASA 1000V Using ASDM
Creating and Configuring Edge Security Profiles in ASDM
Step 8
Complete the fields in the Add Security Profile dialog box to specify the physical
interface to use for sending or receiving vPath traffic from the Cisco Nexus
1000V. The interface name you specify allows vPath traffic to enter the ASA
1000V.
Creating and Configuring Edge Security Profiles in
ASDM
Edge security profiles are created in ASDM, then sent to the ASA 1000V. ASDM
does not include options to configure Cisco VNMC device profiles or edge device
profiles. Policies that belong to these profiles are natively configured through
ASDM.
For the steps to create edge security profiles in ASDM, see step 7 in Registering
the ASA 1000V Using ASDM, page 4-4.
An edge security profile is created by creating an interface security profile and
assigning a security profile name to it. A security profile defined in ASDM creates
an edge security profile with the same name in Cisco VNMC automatically, and
it can be used in port profiles.
Each ASA 1000V instance must also belong to a different organization hierarchy
in Cisco VNMC so that profiles created by one ASA 1000V do not collide with
those created by another ASA 1000V. The organization hierarchy can be thought
of as an absolute path name of a file in a file system starting at root.
Each ASA 1000V (including those ASA 1000Vs managed through Cisco VNMC)
must be configured using a unique path name that does not collide with any other
ASA 1000V, including those that are managed through VNMC.
For example, the ASA 1000V is configured with
root/tenant1/DC1/App1/ASA-51. The ASA 1000V is attached as an edge firewall
for the tenant tenant1 under root/tenant1/DC1/App1/ASA-51 in Cisco VNMC.
Policies created in Cisco VNMC at the same level do not work on an ASA 1000V
managed through ASDM.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
4-7
Chapter 4
Configuring the ASA 1000V Using ASDM
Creating Security Profiles in VSM in ASDM Mode
Creating Security Profiles in VSM in ASDM Mode
Follow the steps in the “Configuring Security Profiles in VSM” section on
page 3-4 to complete this task.
Making Internal Services Accessible from the
Internet
The Public Server pane automatically configures the security policy to make an
inside server accessible from the Internet. As a business owner, you might have
internal network services, such as a web or FTP server, that need to be available
to an outside user. You can place these services behind the ASA 1000V on a public
server in the inside network. The ASA 1000V can allow outside access to its
public servers. Any attacks launched against the public servers do not affect your
inside networks.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
4-8
78-20938-01
Chapter 4
Configuring the ASA 1000V Using ASDM
Making Internal Services Accessible from the Internet
Detailed Steps
Step 1
In the main ASDM window, choose Configuration > Firewall > Public Servers.
The Public Server pane appears.
Step 2
Click Add, then enter the public server settings in the Public Server dialog box.
(For information about any field, click Help.)
Step 3
Click OK.
The server appears in the list.
Step 4
Click Apply to submit the configuration to the ASA 1000V.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
4-9
Chapter 4
Configuring the ASA 1000V Using ASDM
Running the Site-to-Site Wizard to Configure VPN Tunnels
Running the Site-to-Site Wizard to Configure VPN
Tunnels
The VPN Wizard helps you configure basic IPsec site-to-site VPN connections.
Detailed Steps
Step 1
In the main ASDM window, choose Wizards > VPN Wizards > Site-to-Site
VPN Wizard.
Step 2
Follow the wizard instructions. (For information about any wizard field, click
Help.)
Cisco ASA 1000V Cloud Firewall Getting Started Guide
4-10
78-20938-01
Chapter 4
Configuring the ASA 1000V Using ASDM
Other Wizards in ASDM
Other Wizards in ASDM
You can optionally run the following additional wizards in ASDM:
•
High Availability and Scalability Wizard—Configures active/standby
failover.
•
Packet Capture Wizard—Configures and runs captures. The wizard runs
one capture on each of the ingress and egress interfaces. After capturing
packets, you can save the captures to your PC for examination and replay
in the packet analyzer.
Advanced Configuration
To continue configuring your ASA 1000V, see the Cisco ASA 1000V CLI
Configuration Guide or the Cisco ASA 1000V ASDM Configuration Guide at:
ASA 1000V Documentation
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
4-11
Chapter 4
Configuring the ASA 1000V Using ASDM
Advanced Configuration
Cisco ASA 1000V Cloud Firewall Getting Started Guide
4-12
78-20938-01
CH A P T E R
5
FAQs About the ASA 1000V
This document provides answers to the most frequently asked questions (FAQs)
related to the ASA 1000V solution and deployment.
•
Can two ASA 1000Vs have the same IP addresses if they belong to the same
tenant hierarchy?
•
What is the expected behavior if multiple VMs in the same
tenant/datacenter/vApp/tier have the same IP address?
•
In the Cisco Nexus 1000V, do you configure vservice node, security profile,
or org configuration for the inside interface of the ASA 1000V?
•
When I configure Cisco VNMC policy agent parameters on the ASA 1000V,
what CLI output can I expect to see?
•
Can I connect the ASA 1000V to the Cisco VNMC with the management
interface only, or can I use the inside interface or outside interface as well?
•
Should Cisco VNMC be directly connected to the ASA 1000V management
interface?
•
Can you use the ASA 1000V CLI to change the ASA 1000V management
mode from ASDM to VNMC or from VNMC to ASDM after deploying the
ASA 1000V?
•
Do I need to install a license file on ASA 1000V for it to work?
•
I have an ASA 1000V deployed in VNMC mode and have policies created in
the VNMC Security Profiles section, but I do not see the policies getting
applied on the ASA 1000V.
•
Can I have some VM hosts on the inside network that are assigned dynamic
IP addresses via DHCP and some that are assigned static IP addresses?
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
5-1
Chapter 5
FAQs About the ASA 1000V
Questions
•
Why does packet tracer/capture show security profile information for packets
coming from VM hosts on the inside network?
•
When I ping from an inside VM host to the ASA 1000V inside IP address and
capture packets, I see only ICMP echo request packets.
•
The VM hosts on my inside network have two interfaces (virtual NICs). Can
each of these interfaces belong to a different tenant?
•
Because the ASA 1000V has inside and outside interfaces (except
management and failover), can the inside interface serve as trunk interfaces
to serve multiple VLANs in the tenant?
•
In Cisco VNMC, when I delete the edge security profile associated with my
VM hosts, can I recreate it using the same name?
•
After entering the no vnmc org org_name command in ASDM mode, can I
recreate the same organization structure using the same security profile
names for all security profile interfaces?
•
My ASA 1000V is deployed in VNMC Mode. I mistakenly deleted the ASA
1000V edge firewall in Cisco VNMC. What do I do?
•
My ASA 1000V is deployed in ASDM Mode. I mistakenly deleted the ASA
1000V edge firewall in Cisco VNMC. What do I do?
•
In Cisco VNMC, do I have to configure both an edge security profile and an
edge device profile to configure VPN on ASA 1000V?
For information about troubleshooting your ASA 1000V deployment, see the
Cisco ASA 1000V Troubleshooting Guide at ASA 1000 Documentation.
Questions
Q. Can two ASA 1000Vs have the same IP addresses if they belong to the same
tenant hierarchy?
A. No. Any ASA 1000Vs deployed in the same hierarchy cannot have the same
IP address. The following diagram shows a hierarchy that consists of the
levels root – T1 – DC1 – A1 – T1. An ASA 1000V in tenant T1 and an ASA
1000V in vApp A1 cannot have the same IP addresses. However, an ASA
1000V deployed in Tenant T1 and an ASA 1000V deployed in Tenant T2 can
have the same IP addresses.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
5-2
78-20938-01
Chapter 5
FAQs About the ASA 1000V
Questions
Q. What is the expected behavior if multiple VMs in the same
tenant/datacenter/vApp/tier have the same IP address?
A. Currently, if multiple VMs in the same tenant/datacenter/vApp/tier have the
same IP address, traffic will not pass through the ASA 1000V. Avoid
configuring the ASA 1000V in this way, because changing the IP address will
not fix the issue.
Q. In the Cisco Nexus 1000V, do you configure vservice node, security profile,
or org configuration for the inside interface of the ASA 1000V?
A. No. For the ASA 1000V port profile, you do not need to configure a vservice
node, security profile, or an org configuration for the ASA 1000V inside
interface.
Q. When I configure Cisco VNMC policy agent parameters on the ASA 1000V,
what CLI output can I expect to see?
A. With the current ASA 1000V image, you will see the following type of output
on the console when you configure VNMC policy-agent parameters:
ciscoasa# config terminal
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
5-3
Chapter 5
FAQs About the ASA 1000V
Questions
Enter configuration commands, one per line. End with CNTL/Z.
ciscoasa(config)# vnmc policy-agent
ciscoasa(config-vnmc-policy-agent)# registration host 172.23.195.171
ciscoasa(config-vnmc-policy-agent)# shared-secret Vnmcpass1
Trustpoint CA certificate accepted.
ciscoasa(config-vnmc-policy-agent)#
Q. Can I connect the ASA 1000V to the Cisco VNMC with the management
interface only, or can I use the inside interface or outside interface as well?
A. No. You can only connect the ASA 1000V to the Cisco VNMC using the
management interface.
Q. Should Cisco VNMC be directly connected to the ASA 1000V management
interface?
A. No. You are not required to directly connect the Cisco VNMC to the ASA
1000V management interface. Typically, a host-specific route should be
added on the ASA 1000V to reach the Cisco VNMC through the management
interface because the ASA 1000V default gateway is reached through the
ASA 1000V outside interface.
Q. Can you use the ASA 1000V CLI to change the ASA 1000V management
mode from ASDM to VNMC or from VNMC to ASDM after deploying the
ASA 1000V?
A. No. You cannot change the management mode after deploying the ASA
1000V. To change the management mode, you must redeploy the ASA
1000V. When you redeploy the ASA 1000V, you must reconfigure all
policies that you previously configured for the ASA 1000V.
Q. Do I need to install a license file on ASA 1000V for it to work?
A. No. Unlike traditional ASAs, you do not need to install a license file on the
ASA 1000V. However, you need to install a license file on the Cisco Nexus
1000V for the ASA 1000V. Cisco will provide you with the appropriate
license file to install on the Cisco Nexus 1000V.
Q. I have an ASA 1000V deployed in VNMC mode and have policies created in
the VNMC Security Profiles section, but I do not see the policies getting
applied on the ASA 1000V.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
5-4
78-20938-01
Chapter 5
FAQs About the ASA 1000V
Questions
A. When the ASA 1000V is configured to use VNMC mode, each policy that is
applied on the ASA 1000V needs to be a part of a policy set and the policy
set must be assigned to an edge security profile for the policies to be applied
on the Cisco Nexus 1000V.
The following screen shows how to define policies and policy sets in Cisco
VNMC.
Q. Can I have some VM hosts on the inside network that are assigned dynamic
IP addresses via DHCP and some that are assigned static IP addresses?
A. The VM hosts that have static IP addresses are not reachable by outside hosts.
Any VM host that is assigned a dynamic IP address via DHCP will always be
reachable from outside hosts.
However, an outside host will be able to reach an inside host that has a static
IP address when the inside host has communicated with the outside host (for
example, using ping or ARP).
Q. Why does packet tracer/capture show security profile information for packets
coming from VM hosts on the inside network?
A. As shown in the following screen, all the VM hosts that are on the inside
network belong to an edge security profile and each edge security profile has
specific policies defined.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
5-5
Chapter 5
FAQs About the ASA 1000V
Questions
The Cisco organization has three edge security profiles for Department1,
Department2, and Department3. The VM hosts belonging to each department
have separate policies defined for them.
To ensure that the correct policies are applied to the traffic from VM hosts in
Department1, Department2 and Department3, the ASA 1000V needs to
identify the edge security profile to which the VM host belongs.
Tagging packets with security profile information allows the ASA 1000V to
identify the edge security profile that a VM host belongs to and apply the
policies associated with that edge security profile.
Q. When I ping from an inside VM host to the ASA 1000V inside IP address and
capture packets, I see only ICMP echo request packets.
A. With the current ASA 1000V version, only ICMP echo request packets are
displayed in capture outputs for traffic from inside VM hosts to the ASA
1000V inside interface IP address. This is a display issue, and the inside VM
host should receive the ICMP echo reply packets from the ASA 1000V inside
interface.
When an inside host is pinged from the ASA 1000V interface and packets
captured, both ICMP echo request and reply packets are displayed correctly.
This issue does not affect the traffic sent from inside VM hosts to outside
hosts.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
5-6
78-20938-01
Chapter 5
FAQs About the ASA 1000V
Questions
Q. The VM hosts on my inside network have two interfaces (virtual NICs). Can
each of these interfaces belong to a different tenant?
A. No. All the interfaces of a VM host should belong to the same tenant.
Q. Because the ASA 1000V has inside and outside interfaces (except
management and failover), can the inside interface serve as trunk interfaces
to serve multiple VLANs in the tenant?
A. No. The ASA 1000V only supports one inside subnet. It does not support
VLAN trunk ports.
Q. In Cisco VNMC, when I delete the edge security profile associated with my
VM hosts, can I recreate it using the same name?
A. No. Deleting and recreating the edge security profile using the same name
causes your inside VM hosts to be unreachable. When you delete the edge
security profile and recreate it with same name in the same
tenant/datacenter/app/tier, the ASA 1000V will drop all packets from that
edge security profile after it is recreated.
To resolve this issue, perform one of the following workarounds:
Workaround 1
1.
From VMWare vCenter, determine the port profile to which the VM hosts
belong. (In the following example, the VM hosts belong to the port profile
inside-hosts-1.)
2.
On the Cisco Nexus 1000V console, enter the following commands:
Nexus1000v# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Nexus1000v(config)# port-profile type vethernet inside-hosts-1
Nexus1000v(config-port-prof)# no vservice node name profile profile_name
Nexus1000v(config-port-prof)# vservice node name profile profile_name
Workaround 2
1.
Save the running-config to the startup-config using the copy running-config
startup-config command.
2.
Reload the Nexus 1000V switch using the reload command.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
5-7
Chapter 5
FAQs About the ASA 1000V
Questions
Q. After entering the no vnmc org org_name command in ASDM mode, can I
recreate the same organization structure using the same security profile
names for all security profile interfaces?
A. No. If you configured the security profiles and VNMC organization structure,
then entered the no vnmc org org_name command, you cannot recreate the
same organization structure using the same security profile names for all
security profile interfaces.
The ASA 1000V will drop packets from inside hosts belonging to all edge
security profiles in the organization structure, even if you recreate the
organization correctly.
To resolve this issue, perform one of the following workarounds:
Workaround 1
1.
Save the running-config to the startup-config using the copy running-config
startup-config command.
2.
Reload the Nexus 1000V switch using the reload command.
Workaround 2
1.
From VMWare vCenter, determine the port profile for all affected VM hosts.
2.
For each port profile, enter the following commands on the Cisco Nexus
1000V VSM console:
Nexus1000v# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Nexus1000v(config)# port-profile type vethernet port-profile_name
Nexus1000v(config-port-prof)# no vservice node name profile profile_name
Nexus1000v(config-port-prof)# vservice node name profile profile_name
Enter these commands for the port profile for all the inside VM hosts.
Q. My ASA 1000V is deployed in VNMC Mode. I mistakenly deleted the ASA
1000V edge firewall in Cisco VNMC. What do I do?
A. When you mistakenly delete the edge firewall for the ASA 1000V, perform
the following steps in Cisco VNMC:
1.
From the Edge Firewalls section, create a new edge firewall with the same
parameters as the one you deleted. See the Cisco VNMC Help for more
information.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
5-8
78-20938-01
Chapter 5
FAQs About the ASA 1000V
Questions
Note
You do not need to recreate the edge security profiles in Cisco
VNMC.
2.
Select the edge firewall that you recreated and choose Assign Virtual-ASA.
3.
Verify that the configuration state shows applied:
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
5-9
Chapter 5
FAQs About the ASA 1000V
Questions
Q. My ASA 1000V is deployed in ASDM Mode. I mistakenly deleted the ASA
1000V edge firewall in Cisco VNMC. What do I do?
A. If you mistakenly deleted the edge firewall for the ASA 1000V, perform the
following steps:
1.
If you have enabled SSH/Telnet on the ASA 1000V, connect to the CLI using
SSH or Telnet.
or
Log into VMware vCenter Client and navigate to the console for the ASA
1000V VM.
2.
Enter the vnmc org command; for example:
vnmc org root/Tenant2
Entering this command recreates the edge firewall in Cisco VNMC.
Q. In Cisco VNMC, do I have to configure both an edge security profile and an
edge device profile to configure VPN on ASA 1000V?
A. Yes. In Cisco VNMC, the VPN configuration is divided into two sections:
– Global or device configuration (IKE configuration and tunnel group peer
configuration are considered global). Global or device configuration
must be configured under Edge Device Profile.
– Interface configuration (crypto map configuration is considered an
interface configuration). Interface configuration must be configured
under Edge Security Profile.
Cisco ASA 1000V Cloud Firewall Getting Started Guide
5-10
78-20938-01
CH A P T E R
6
Sample Configurations for the Cisco
ASA 1000V
This chapter includes the following sections:
•
Sample Firewall Configuration, page 6-1
•
Sample LAN-to-LAN VPN Tunnel Configuration, page 6-7
Sample Firewall Configuration
The following sample shows the configuration for the ASA 1000V when it is
configured for standalone mode and failover is not configured.
To view the configuration, enter the show running-config command, which
shows a running configuration for the ASA 1000V.
ASA100V-VNMC-Primary# show running-config
: Saved
:
ASA Version 8.7(0)11
!
hostname ASA100V-VNMC-Primary
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-1
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample Firewall Configuration
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.2.1 255.255.255.0
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 172.23.39.47 255.255.255.0 standby 172.23.39.48
management-only
!
interface security-profile1
nameif sp1
security-level 100
security-profile default@root
!
ftp mode passive
access-list acl:root:default@inside-in extended deny ip any any
access-list acl:root:default@inside-out extended deny ip any any
access-list tcpint:default:default-rule@inside extended permit tcp any any
access-list UDP:timeout:default:default-rule@inside extended permit udp any any
access-list TCP:timeout:default:default-rule@inside extended permit tcp any any
access-list ICMP:timeout:default:default-rule@inside extended permit icmp any any
access-list acl:root:default@outside-in extended deny ip any any
access-list acl:root:default@outside-out extended deny ip any any
access-list tcpint:default:default-rule@outside extended permit tcp any any
access-list UDP:timeout:default:default-rule@outside extended permit udp any any
access-list TCP:timeout:default:default-rule@outside extended permit tcp any any
access-list ICMP:timeout:default:default-rule@outside extended permit icmp any any
access-list acl:root:default@sp1-in extended deny ip any any
access-list acl:root:default@sp1-out extended deny ip any any
access-list tcpint:default:default-rule@sp1 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp1 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp1 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp1 extended permit icmp any any
pager lines 23
mtu GigabitEthernet0/0 1500
mtu GigabitEthernet0/1 1500
mtu Management0/0 1500
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/2
failover link fover GigabitEthernet0/2
failover interface ip fover 10.1.3.10 255.255.255.0 standby 10.1.3.11
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-2
78-20938-01
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample Firewall Configuration
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group acl:root:default@sp1-in in interface sp1
access-group acl:root:default@sp1-out out interface sp1
route management 171.69.0.0 255.255.0.0 172.23.39.1 1
route management 171.69.42.102 255.255.255.255 172.23.39.1 1
route management 172.23.39.37 255.255.255.255 172.23.39.1 1
!
!
service-interface security-profile all inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 171.69.42.102 255.255.255.255 management
http 172.23.39.37 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _internal_PA_VNMC_CA_CERT
enrollment terminal
crl configure
crypto ca certificate chain _internal_PA_VNMC_CA_CERT
certificate ca 00aef9fd58cae70d8e
30820345 3082022d a0030201 02020900 aef9fd58 cae70d8e 300d0609 2a864886
f70d0101 05050030 20311e30 1c060355 04031315 6c6f6361 6c686f73 742e6c6f
63616c64 6f6d6169 6e301e17 0d313230 35303231 34343530 365a170d 32323034
33303134 34353036 5a302031 1e301c06 03550403 13156c6f 63616c68 6f73742e
6c6f6361 6c646f6d 61696e30 82012230 0d06092a 864886f7 0d010101 05000382
010f0030 82010a02 82010100 d48e9cf0 8ce05f09 e6187e70 ad70d013 969faa37
0d08d5f7 ba57114e 21f82454 8f3282ea 911bbbcd a8a55e51 27e56b31 e506d9eb
0116819f 43e6b342 7bb8c50e 3ba3850b c7162d0e e8c5ecbd 2bf6884b b8cf44f0
806a40ad e6e49307 1db2efd0 446bf4ef e48e7f83 767e99e0 7136e9e1 100dfef4
bbb71379 bc7ef2a5 e5708218 09842d2a 2ccf23a4 e2311e12 a48e03af 2c90b40a
89bae78e 0739de49 9ccd2444 2dd965bc 2648db28 fc1a71c3 a9e67cbe bc7cd889
f6d03450 eb8f4090 b80ed863 793a3ff6 0369a635 81dceceb e8082e51 3b860679
b1cb859e c05e5ef9 7e95284d 0e7dbd13 aa5ee474 bb7ec909 64ec9175 5a09d402
0e116273 a1f553ac b516dc1f 02030100 01a38181 307f301d 0603551d 0e041604
1458f881 0b616f95 efda763f 1b1e435a 90dbec4e 96305006 03551d23 04493047
801458f8 810b616f 95efda76 3f1b1e43 5a90dbec 4e96a124 a4223020 311e301c
06035504 0313156c 6f63616c 686f7374 2e6c6f63 616c646f 6d61696e 820900ae
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-3
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample Firewall Configuration
f9fd58ca e70d8e30 0c060355 1d130405 30030101 ff300d06 092a8648
01050500 03820101 002dfa77 37eb3388 d20ce18a 0fea44ab 7b71397a
19cf68c6 acacdcc7 6b110c51 d89b5392 3d14d25d 2e356f64 ef3eb5d8
c3ce3fd5 ad057a56 12d9219e 0350821d 32cb41c8 2bafee6b d91ed862
2bdb81e8 50b72f98 e42bfcfa 6c01f3db fe9ba77a 3b315cf1 94ed9350
de61bbd2 ec57e897 c6862eb4 624fd14d 3cfd1327 e9bb3976 b5d2c6bd
b2e1a561 4e3bdb42 5078a267 104ec527 fba33d71 2c1cdac9 c178b377
17d6df12 7bd89458 f0b3015d 872c6fdc cefbf35f c152ce0b e2e32956
add7f032 1cd9d865 383d9bef 316aab22 cdafd878 cbd3e945 3f739758
69467e07 04bfad46 68
quit
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
!
vnmc policy-agent
registration host 172.23.39.37
shared-secret *****
username admin password e1z89R3cZe9Kt6Ib encrypted
!
class-map ICMP:timeout:default:default-rule@outside
match access-list ICMP:timeout:default:default-rule@outside
class-map tcpint:default:default-rule@outside
match access-list tcpint:default:default-rule@outside
class-map tcpint:default:default-rule@sp1
match access-list tcpint:default:default-rule@sp1
class-map ICMP:timeout:default:default-rule@sp1
match access-list ICMP:timeout:default:default-rule@sp1
class-map TCP:timeout:default:default-rule@outside
match access-list TCP:timeout:default:default-rule@outside
class-map UDP:timeout:default:default-rule@sp1
match access-list UDP:timeout:default:default-rule@sp1
class-map insp:default:default-rule@outside
match default-inspection-traffic
class-map insp:default:default-rule@sp1
match default-inspection-traffic
class-map UDP:timeout:default:default-rule@outside
match access-list UDP:timeout:default:default-rule@outside
class-map TCP:timeout:default:default-rule@sp1
match access-list TCP:timeout:default:default-rule@sp1
class-map ICMP:timeout:default:default-rule@inside
match access-list ICMP:timeout:default:default-rule@inside
class-map tcpint:default:default-rule@inside
match access-list tcpint:default:default-rule@inside
class-map TCP:timeout:default:default-rule@inside
match access-list TCP:timeout:default:default-rule@inside
86f70d01
785509c3
58bbd410
2cb5d4e4
977966ab
0a0a4930
6367a61e
8378e64d
19cba558
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-4
78-20938-01
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample Firewall Configuration
class-map insp:default:default-rule@inside
match default-inspection-traffic
class-map UDP:timeout:default:default-rule@inside
match access-list UDP:timeout:default:default-rule@inside
!
!
policy-map mpf-inside
class tcpint:default:default-rule@inside
class insp:default:default-rule@inside
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@inside
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@inside
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@inside
set connection timeout idle 0:02:00
policy-map mpf-outside
class tcpint:default:default-rule@outside
class insp:default:default-rule@outside
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@outside
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@outside
set connection timeout idle 1:00:00
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-5
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample Firewall Configuration
class ICMP:timeout:default:default-rule@outside
set connection timeout idle 0:02:00
policy-map mpf-sp1
class tcpint:default:default-rule@sp1
class insp:default:default-rule@sp1
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@sp1
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@sp1
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@sp1
set connection timeout idle 0:02:00
!
service-policy mpf-inside interface inside
service-policy mpf-outside interface outside
service-policy mpf-sp1 interface sp1
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 3
subscribe-to-alert-group configuration periodic monthly 3
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83c5fd09f1c24152f7cba73425b76190
: end
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-6
78-20938-01
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
Sample LAN-to-LAN VPN Tunnel Configuration
The following is sample output from the show running-config command, which
shows a running configuration for the ASA 1000V:
ciscoasa# show running-config
: Saved
:
ASA Version 8.7(0)12
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.1.2.1 255.255.255.0 standby 10.1.2.1
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 172.23.39.42 255.255.255.0 standby 172.23.39.43
management-only
!
interface security-profile1
nameif sp1
security-level 100
security-profile VPN@root/Tenant
!
interface security-profile2
nameif sp2
security-level 100
security-profile C200-1@root/Tenant
!
interface security-profile3
nameif sp3
security-level 100
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-7
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
security-profile default@root
!
interface security-profile4
nameif sp4
security-level 100
security-profile test@root/Tenant
!
ftp mode passive
object-group network VDONOg:mymap:toRemote@sp2
network-object host 10.1.3.30
object-group network VSONOg:mymap:toRemote@sp2
network-object host 10.1.4.50
object-group network VDONOg:testmap:101@sp2
network-object host 10.1.3.30
object-group network VSONOg:testmap:101@sp2
network-object host 10.1.4.50
access-list tcpint:default:default-rule@inside extended permit tcp any any
access-list UDP:timeout:default:default-rule@inside extended permit udp any any
access-list TCP:timeout:default:default-rule@inside extended permit tcp any any
access-list ICMP:timeout:default:default-rule@inside extended permit icmp any any
access-list tcpint:default:default-rule@outside extended permit tcp any any
access-list UDP:timeout:default:default-rule@outside extended permit udp any any
access-list TCP:timeout:default:default-rule@outside extended permit tcp any any
access-list ICMP:timeout:default:default-rule@outside extended permit icmp any any
access-list tcpint:default:default-rule@sp3 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp3 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp3 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp3 extended permit icmp any any
access-list tcpint:default:default-rule@sp1 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp1 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp1 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp1 extended permit icmp any any
access-list tcpint:default:default-rule@sp2 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp2 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp2 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp2 extended permit icmp any any
access-list mymap@root:Tenant extended permit ip object-group VSONOg:mymap:toRemote@sp2
object-group VDONOg:mymap:t
oRemote@sp2
access-list tcpint:default:default-rule@sp4 extended permit tcp any any
access-list UDP:timeout:default:default-rule@sp4 extended permit udp any any
access-list TCP:timeout:default:default-rule@sp4 extended permit tcp any any
access-list ICMP:timeout:default:default-rule@sp4 extended permit icmp any any
access-list testmap@root:Tenant extended permit ip object-group VSONOg:testmap:101@sp2
object-group VDONOg:testmap:
101@sp2
pager lines 23
logging enable
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-8
78-20938-01
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
logging buffered debugging
mtu GigabitEthernet0/0 1500
mtu GigabitEthernet0/1 1500
mtu Management0/0 1500
failover
failover lan unit secondary
failover lan interface fover GigabitEthernet0/2
failover link fover GigabitEthernet0/2
failover interface ip fover 172.27.48.1 255.255.255.0 standby 172.27.48.22
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route management 0.0.0.0 0.0.0.0 172.23.39.1 1
route outside 10.1.3.0 255.255.255.0 10.1.5.3 1
route management 172.23.195.138 255.255.255.255 172.23.39.1 1
!
service-interface security-profile all inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.23.39.0 255.255.255.0 management
http 172.23.195.138 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set V1:basic:2@root:Tenant:c-policy-se esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal V2:basic:2@root:Tenant:c-policy-se
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 86400
crypto map outsidemap 100 match address mymap@root:Tenant
crypto map outsidemap 100 set peer 10.1.5.3
crypto map outsidemap 100 set ikev1 transform-set V1:basic:2@root:Tenant:c-policy-se
crypto map outsidemap 100 set ikev2 ipsec-proposal V2:basic:2@root:Tenant:c-policy-se
crypto map outsidemap 100 set security-association lifetime seconds 86400
crypto map outsidemap 100 set security-association lifetime kilobytes 4608000
crypto map outsidemap 100 set nat-t-disable
crypto map outsidemap interface outside
crypto ca trustpoint _internal_PA_VNMC_CA_CERT
enrollment terminal
crl configure
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-9
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
crypto ca certificate chain _internal_PA_VNMC_CA_CERT
certificate ca 00fde69d6350ce9abe
30820345 3082022d a0030201 02020900 fde69d63 50ce9abe
f70d0101 05050030 20311e30 1c060355 04031315 6c6f6361
63616c64 6f6d6169 6e301e17 0d313230 35303431 34323435
30323134 32343538 5a302031 1e301c06 03550403 13156c6f
6c6f6361 6c646f6d 61696e30 82012230 0d06092a 864886f7
010f0030 82010a02 82010100 b7a7fc43 7a8b7db3 62368b62
cff8da2d 74041861 6e7444c6 29649a5b 36bc151a 3b7b0a1d
53f0b3d7 991a51a6 798caec5 4eb2b188 f3cb5f63 9c9680db
c567b144 699812ed 5b819641 9534aeca 75c18e41 3ad04a2c
a4121bf3 480880e8 872ff089 358c5f62 f0cb1c2c 103a6d1d
16c6778e 97c3de4d 92e75df1 98fe189f 09286b11 064839bf
b52f8e20 3bfb6e95 17a1baef 151c448b 3f143b54 b8ab93ec
1ddbe6a5 aa5f5db9 6d0085e8 7f893dc1 0d0371ef 4aa017fa
a07119a1 802ca270 4e316161 02030100 01a38181 307f301d
14e33789 a4e2107f 2ba6051c 6299b91b bc6a10c9 dd305006
8014e337 89a4e210 7f2ba605 1c6299b9 1bbc6a10 c9dda124
06035504 0313156c 6f63616c 686f7374 2e6c6f63 616c646f
e69d6350 ce9abe30 0c060355 1d130405 30030101 ff300d06
01050500 03820101 002f1be1 71f8e57d 177c9f11 d4db6267
ee36ff4f 9a7984e5 0278ca12 795650a1 178be560 3c5c154b
c8dbab0a 71835206 692dfeb0 033e9621 8dcb9c4c 35ba3065
6aeaf8f4 8ed7e8d5 cd1beaac 52f14d02 8f0751bf cb166123
17a117e6 d3171f48 442e0d97 7cfa0145 5f8041b7 869ba9e8
19178d2f 0bc31bdc 25d819f4 e6e0b54a 2a5c78a6 cf2ac414
82a553d2 258365b3 8344e7de c12ad2ae 19588bda 7b7da8ca
b9574ae5 406e0e15 ea3d731d 2e0dff74 b4de35b5 f449524a
90ca3125 df6418ac cd
quit
crypto ikev2 policy 100
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
300d0609
6c686f73
385a170d
63616c68
0d010101
078bbe29
4a002c77
48166513
5b3f4100
6536fd6f
a7859e23
12f465ec
ffab3114
0603551d
03551d23
a4223020
6d61696e
092a8648
323dbb88
9bed52c6
fe72aacd
e58e40ca
3d05dcfe
3d8748ec
4620222a
1732642b
2a864886
742e6c6f
32323035
6f73742e
05000382
ec70624f
f4a6288d
c0a33ef0
91ed36d2
fcb35ceb
b4029b83
c7446144
61d96eb7
0e041604
04493047
311e301c
820900fd
86f70d01
03b8a311
e62bfa71
230c10ae
e0d1430e
6142e5c9
c19576d7
f64ea010
10c7505d
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-10
78-20938-01
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 1440
ssh timeout 5
console timeout 0
!
vnmc policy-agent
registration host 172.23.195.138
shared-secret *****
tunnel-group 10.1.5.3 type ipsec-l2l
tunnel-group 10.1.5.3 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map tcpint:default:default-rule@sp4
match access-list tcpint:default:default-rule@sp4
class-map ICMP:timeout:default:default-rule@outside
match access-list ICMP:timeout:default:default-rule@outside
class-map ICMP:timeout:default:default-rule@sp4
match access-list ICMP:timeout:default:default-rule@sp4
class-map tcpint:default:default-rule@outside
match access-list tcpint:default:default-rule@outside
class-map ICMP:timeout:default:default-rule@sp2
match access-list ICMP:timeout:default:default-rule@sp2
class-map ICMP:timeout:default:default-rule@sp3
match access-list ICMP:timeout:default:default-rule@sp3
class-map tcpint:default:default-rule@sp1
match access-list tcpint:default:default-rule@sp1
class-map tcpint:default:default-rule@sp2
match access-list tcpint:default:default-rule@sp2
class-map tcpint:default:default-rule@sp3
match access-list tcpint:default:default-rule@sp3
class-map ICMP:timeout:default:default-rule@sp1
match access-list ICMP:timeout:default:default-rule@sp1
class-map insp:default:default-rule@sp4
match default-inspection-traffic
class-map TCP:timeout:default:default-rule@outside
match access-list TCP:timeout:default:default-rule@outside
class-map UDP:timeout:default:default-rule@sp1
match access-list UDP:timeout:default:default-rule@sp1
class-map UDP:timeout:default:default-rule@sp2
match access-list UDP:timeout:default:default-rule@sp2
class-map TCP:timeout:default:default-rule@sp4
match access-list TCP:timeout:default:default-rule@sp4
class-map insp:default:default-rule@outside
match default-inspection-traffic
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-11
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
class-map UDP:timeout:default:default-rule@sp3
match access-list UDP:timeout:default:default-rule@sp3
class-map TCP:timeout:default:default-rule@sp2
match access-list TCP:timeout:default:default-rule@sp2
class-map UDP:timeout:default:default-rule@sp4
match access-list UDP:timeout:default:default-rule@sp4
class-map TCP:timeout:default:default-rule@sp3
match access-list TCP:timeout:default:default-rule@sp3
class-map insp:default:default-rule@sp1
match default-inspection-traffic
class-map insp:default:default-rule@sp2
match default-inspection-traffic
class-map UDP:timeout:default:default-rule@outside
match access-list UDP:timeout:default:default-rule@outside
class-map insp:default:default-rule@sp3
match default-inspection-traffic
class-map TCP:timeout:default:default-rule@sp1
match access-list TCP:timeout:default:default-rule@sp1
class-map ICMP:timeout:default:default-rule@inside
match access-list ICMP:timeout:default:default-rule@inside
class-map tcpint:default:default-rule@inside
match access-list tcpint:default:default-rule@inside
class-map TCP:timeout:default:default-rule@inside
match access-list TCP:timeout:default:default-rule@inside
class-map insp:default:default-rule@inside
match default-inspection-traffic
class-map UDP:timeout:default:default-rule@inside
match access-list UDP:timeout:default:default-rule@inside
!
!
policy-map mpf-inside
class tcpint:default:default-rule@inside
class insp:default:default-rule@inside
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@inside
set connection timeout idle 0:02:00
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-12
78-20938-01
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
class TCP:timeout:default:default-rule@inside
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@inside
set connection timeout idle 0:02:00
policy-map mpf-sp4
class tcpint:default:default-rule@sp4
class insp:default:default-rule@sp4
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@sp4
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@sp4
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@sp4
set connection timeout idle 0:02:00
policy-map mpf-outside
class tcpint:default:default-rule@outside
class insp:default:default-rule@outside
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@outside
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@outside
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@outside
set connection timeout idle 0:02:00
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-13
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
policy-map mpf-sp1
class tcpint:default:default-rule@sp1
class insp:default:default-rule@sp1
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@sp1
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@sp1
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@sp1
set connection timeout idle 0:02:00
policy-map mpf-sp3
class tcpint:default:default-rule@sp3
class insp:default:default-rule@sp3
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@sp3
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@sp3
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@sp3
set connection timeout idle 0:02:00
policy-map mpf-sp2
class tcpint:default:default-rule@sp2
class insp:default:default-rule@sp2
inspect dns
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-14
78-20938-01
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect sip
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class UDP:timeout:default:default-rule@sp2
set connection timeout idle 0:02:00
class TCP:timeout:default:default-rule@sp2
set connection timeout idle 1:00:00
class ICMP:timeout:default:default-rule@sp2
set connection timeout idle 0:02:00
!
service-policy mpf-inside interface inside
service-policy mpf-outside interface outside
service-policy mpf-sp1 interface sp1
service-policy mpf-sp2 interface sp2
service-policy mpf-sp3 interface sp3
service-policy mpf-sp4 interface sp4
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 25
subscribe-to-alert-group configuration periodic monthly 25
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6796450aa16ba3fd7148edf6b776ef8b
: end
ciscoasa#
Cisco ASA 1000V Cloud Firewall Getting Started Guide
78-20938-01
6-15
Chapter 6
Sample Configurations for the Cisco ASA 1000V
Sample LAN-to-LAN VPN Tunnel Configuration
Cisco ASA 1000V Cloud Firewall Getting Started Guide
6-16
78-20938-01