Nov 6, 2016

How to Set Up Cisco ASAv Vagrant Box on VMware Fusion

This article will walk you through the steps to configure Cisco Adaptive Security Virtual Appliance (ASAv) on VMware Fusion.


1. Sign in to your Cisco account to download the ASAv package.

Note: A valid service contract is required for the download.

  • Sign in here.
  • Select the Download Software link.
  • Select the Adaptive Security Appliance (ASA) Software link.
  • Select the version from the menu on the left. For my example, I will be using the 9.6.1 version.
  • Click the Download button for Cisco Adaptive Security Virtual Appliance VMWare Package for the Cisco ASAv Virtual Firewall.
  • Save the file to the Downloads folder.
  • Double-click the file to uncompress (expand) it.

2. Create the Cisco ASAv base.
  • Open the VMware Fusion application.
  • Click File -> Import... from the VMware Fusion menu bar.
  • Click the Choose File... button.
  • Navigate to and select the asav-esxi.ovf file in the asav961 folder.
  • Click the Open button.
  • Click the Continue button.
  • Save As: ASAv-961
  • Click the Save button.
  • Click the Accept button for the EULA.
  • Click the Customize Settings button to modify the virtual appliance settings.
  • Set Network Adapter to Share with my Mac.
  • Remove Network Adapter 2 to Network Adapter 10.
  • Uncheck Connect CD/DVD Drive for CD/DVD (IDE).
  • Upgrade the VM hardware version to 12 (Compatibility -> Upgrade).
  • Close the Settings window.
  • Close the VMware Fusion application.

3. Add a custom serial port (for management via console connection).

From a terminal, append a serial port device to the virtual appliance configuration file.

$ printf 'serial0.present = "TRUE"\nserial0.yieldOnMsrRead = "TRUE"\nserial0.fileType = "network"\nserial0.fileName = "telnet://"\n' >> $HOME/Documents/Virtual\ Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx

Verify the component has been added.

$ tail -4 $HOME/Documents/Virtual\ Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx
serial0.present = "TRUE"
serial0.yieldOnMsrRead = "TRUE"
serial0.fileType = "network"
serial0.fileName = "telnet://"

4. Start the virtual appliance.

From a terminal, start the virtual appliance with the vmrun command.

$ /Applications/VMware\ start $HOME/Documents/Virtual\ Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx

Note: An automatic reboot will be performed after initialization.


5. Configure a network serial port for the virtual appliance.

We need to instruct the ASAv to redirect the output from the VMware console (default) to the serial port. Enter the following commands in the VMware console:  

ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# cd coredumpinfo
ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0
ciscoasa(config)# reload save-config noconfirm

6. Initiate a console connection (via Telnet) to the ASAv virtual appliance.
Open a separate terminal window (or tab) and enter the following command:

$ telnet 52099

7. Establish a baseline configuration for the Vagrant box.
Create the vagrant user.

ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# username vagrant password vagrant privilege 15
ciscoasa(config)# username vagrant attributes
ciscoasa(config-username)# service-type admin
ciscoasa(config-username)# ssh authentication publickey AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==
ciscoasa(config-username)# exit
Configure the management interface.

ciscoasa(config)# int m0/0
ciscoasa(config-if)# shut
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip addr dhcp
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit

Configure SSH.

ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authorization exec LOCAL auto-enable
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 60
ciscoasa(config)# ssh key-exchange group dh-group14-sha1
ciscoasa(config)# ssh scopy enable
ciscoasa(config)# ssh 0 0 management
ciscoasa(config)# domain-name
ciscoasa(config)# crypto key generate rsa usage-keys label SSHKEYS modulus 1024

Verify the Cisco Adaptive Security Device Manager (ASDM) software is available.

ciscoasa(config)# show file info boot:/asdm-76157.bin

  type is image (asdm)
  file size is 25819140 bytes version 7.6(1)

Enable the http server required to run ASDM.

ciscoasa(config)# http server enable
ciscoasa(config)# http 0 0 management
ciscoasa(config)# end

Save the running configuration to local NVRAM.

ciscoasa# copy run start
8. Stop the virtual appliance and quit the VMware Fusion application.
Stop the virtual appliance from the original terminal window (or tab).
$ /Applications/VMware\ stop $HOME/Documents/Virtual\ Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx
9. Create the Vagrant box.

Change the current directory to ASAv-961.
$ cd $HOME/Documents/Virtual\ Machines.localized/ASAv-961.vmwarevm

Remove all generated MAC addresses from the ASAv-961 configuration file.  
$ sed -i '' '/generatedAddress/d' ASAv-961.vmx

Create the metadata.json file for the VMware provider.
$ printf '{"provider": "vmware_desktop"}' > metadata.json

List the directory contents to verify the essential files are present.
$ tree -h
├── [165M]  ASAv-961-disk1.vmdk
├── [ 12M]  ASAv-961-disk2.vmdk
├── [350K]  ASAv-961-file1.iso
├── [ 626]  ASAv-961.plist
├── [   0]  ASAv-961.vmsd
├── [2.8K]  ASAv-961.vmx
├── [ 263]  ASAv-961.vmxf
├── [  30]  metadata.json
├── [8.5K]  nvram
├── [ 866]  startMenu.plist
└── [392K]  vmware.log

0 directories, 11 files

Package the Vagrant box file with tar.
$ tar cvzf ./* 

10. Add the Vagrant box.

Add the Vagrant box to our local inventory.

$ vagrant box add --provider vmware_desktop --name cisco-asav-961
==> box: Box file was not detected as metadata. Adding it directly...
==> box: Adding box 'cisco-asav-161' (v0) for provider: vmware_desktop
    box: Unpacking necessary files from: file:///Users/marc/Documents/Virtual%20Machines.localized/ASAv-961.vmwarevm/
==> box: Successfully added box 'cisco-asav-961' (v0) for 'vmware_desktop'! 

Verify the box is now listed.
$ vagrant box list
cisco-asav-961      (vmware_desktop, 0)
cisco-iosv-l2-152   (vmware_desktop, 0)
cisco-iosv-l3-156-2 (vmware_desktop, 0)
cisco-xrv-6         (vmware_desktop, 0)
juniper-vmx-141R48  (vmware_desktop, 0)
vmware-centos7      (vmware_desktop, 0)
vmware-ubuntu1404   (vmware_desktop, 0) 
11. Test it.

Create a directory for a test project and change to it.
$ mkdir $HOME/Documents/test-asav && cd $_

Create the Vagrantfile with a text editor ...
$ vim Vagrantfile

that contains the following: 
# -*- mode: ruby -*-
# vi: set ft=ruby :


Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.ssh.insert_key = false = "cisco-asav-961"
  # Shorten timeout value for lack of "standard" Cisco ASA shell
  config.vm.boot_timeout = 90
  # Disable default host <-> guest synced folder
  config.vm.synced_folder ".", "/vagrant", disabled: true

  # Modify telnet port number for console OOB management
  config.vm.provider "vmware_fusion" do |v|
    v.vmx["serial0.fileName"] = "telnet://"

Show the current status of the vagrant machine.

$ vagrant status
Current machine states:

default                   not created (vmware_fusion)

The VMware machine has not yet been created. Run `vagrant up`
to create the machine. If a machine is not created, only the
default provider will be shown. Therefore, if a provider is not listed,
then the machine is not created for that provider.

12. Vagrant Up!

Note: After Vagrant establishes a SSH connection to the remote virtual instance, it expects to talk to a standard shell (e.g., Bash). Since the Cisco ASA software doesn't provide a standard shell, Vagrant will eventually time out. The current workaround is to adjust the vm.boot_timeout attribute value as included in the example Vagrantfile.

$ vagrant up
Bringing machine 'default' up with 'vmware_fusion' provider...
==> default: Cloning VMware VM: 'cisco-asav-961'. This can take some time...
==> default: Verifying vmnet devices are healthy...
==> default: Preparing network adapters...
==> default: Starting the VMware VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address:
    default: SSH username: vagrant
    default: SSH auth method: private key

Timed out while waiting for the machine to boot. This means that Vagrant was unable to communicate with the guest machine within the configured ("config.vm.boot_timeout" value) time period.

If you look above, you should be able to see the error(s) that Vagrant had when attempting to connect to the machine. These errors are usually good hints as to what may be wrong.

If you're using a custom box, make sure that networking is properly working and you're able to connect to the machine. It is a common problem that networking isn't setup properly in these boxes.
Verify that authentication configurations are also setup properly, as well.

If the box appears to be booting properly, you may want to increase the timeout ("config.vm.boot_timeout") value.

The status of the vagrant machine is now in the running state.

$ vagrant status
Current machine states:

default                   running (vmware_fusion)

The VM is running. To stop this VM, you can run `vagrant halt` to shut it down, or you can run `vagrant suspend` to simply suspend the virtual machine. In either case, to restart it again, run `vagrant up`.

We can connect to the vagrant machine with SSH ...

$ vagrant ssh 

or a console connection (out-of-band management) via Telnet ...
$ telnet 52001

or with Cisco Adaptive Security Device Manager (ASDM).

13. More Vagrant commands:

Stop the vagrant machine with the force option.
$ vagrant halt -f

Destroy (Delete) the vagrant machine with the force option.
$ vagrant destroy -f 

Post a Comment

TECH SUPPORT © 2012 - Designed by INFOSBIRD