Installing ASAv into vCenter

As announced last month and quickly covered off by this post, Cisco announced the evolution of the ASA 1000v, the ASAv. There is no longer a requirement on Nexus 1000v.

I have a variety of technology in my lab for studies. For 2 years my bread and butter was Juniper SRX and Cisco ASA firewalls. They were the mainstay of my role and I still get questions about them from old colleagues and industry friends

The Lab

This is the lab environment that I have built. I have a firewall only environment and an environment which I have a CSR embedded into it as well.

ASAv lab topology

Installing the ASAv into vCenter

Lets install the ASA 1000v and connect it to the Web Logical Switch we setup here. My lab environment sees quite a few ASAv instances stitched together in a topology. This is great for studying expected behaviours of physical firewall changes.

Time to deploy the ASAv OVA file downloaded from and select the OVA file.

Screenshot 2014-05-01 18.59.43

Accept the terms from Cisco. Accept the extra options which are Thick Provisioned disk (pre allocated, written with zeros).

Screenshot 2014-05-01 19.00.08

Accept the terms of the EULA.

Screenshot 2014-05-01 19.01.41

Select the name and location of where you want to install the ASAv

Screenshot 2014-05-01 19.02.21

Select the cluster you want to install to.

Screenshot 2014-05-01 19.02.37

Select the datastore where the vmdk will be provisioned. Remember, thick provisioning requires the space upfront. Make sure you have the room.

Screenshot 2014-05-01 19.02.52

Here you can select the networks to which the ASAv attaches to. My port-group VM-traffic is connection to the dvUplink connected to my UCS fabric interconnect – for the non VMware people – the outside world. The vSwitch labelled vxw-dvs-204-virtualwire-8-sid-10007-DND-Transit is my Transit logical switch that is connected to my uplink from my logical router. If you look at the three tier application we are deploying in my Installing NSX Series Part 4.

Screenshot 2014-05-01 19.09.21

Here you can set up the initial config which is usually prompted when first enabling a device. I am sure as a part of a vCO workflow that this could be read from a central repository or something but I skip this for now.

Screenshot 2014-05-01 19.09.35
Hit finish. Now it is time to start the ASAv up.

Screenshot 2014-05-01 22.06.06

Lets have a look at the console. It’s amusing – still faithful to the older ASA’s with a Pentium II 2400 being reproduced. Screenshot 2014-05-01 22.08.00

Easy does it. A virtual ASA connected to a logical switch and the outside world. Apply your standard configuration and default policies and you have a functioning ASA. Much easier to deploy than its physical counterpart.

At the time of installing it seems that the only feature missing is ASA clustering. I cover ASA clustering here which is not a bad way of scaling out firewall function. I believe that this is purely a command enablement in the next version.

Cisco ASAv and ASA 9.2

The other day marked a pretty big security release for Cisco. For a long time the Cisco ASA has been a physical firewall and recently evolved to a Virtual Appliance known as the ASA 1000v. The problem with this Virtual Appliance is that it required a Nexus 1000v.

Now with that said the Cisco ASA 1000v has been superseded by the Cisco ASAv during the week. Removing its underlying dependency on Nexus 1000v, this fully functioning Virtual Appliance faithfully reproduces a vast majority of the ASA’s features and expands the ASAs use case portfolio. The release of this Virtual Appliance is in alignment with a new code release. The most notable feature of this product release is BGP support.

There has been many a discussion surrounding how could Cisco not support this on ASA for so long. I am sure they lost many a deal to Juniper’s SRX over this. There were some designs where I ended up having to put a router behind the firewall or in front of it due to the fact BGP was a requirement. Operations considerations didn’t allow an SRX to be used which was unfortunate. Administrators rejoice if Cisco is your firewall incumbent as you now can peer off your firewall and reduce some of the complexity of the work around.

Another feature which looks to be targeted at the ASA5585-X and SSP modules is increasing the max link bundles of LACP. Now supporting 16 links in a LACP bundle, the ASA can connect 16 link channels to Nexus 7000 F2 10Gbe line cards. Some improvements there for data centre switching and tackling east-west DC traffic.

So what are you waiting for? Head over to the support portal and download the .ova. I am lead to believe you require vCenter for the installation.

Check out the release notes for Cisco ASA 9.2[x]