Cisco ASA 1000V ASDM Configuration Guide, 6.7
Introduction to the ASA 1000V
Downloads: This chapterpdf (PDF - 198.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Introduction to the Cisco ASA 1000V

Table Of Contents

Introduction to the Cisco ASA 1000V

New Features in ASDM Version 6.7(1)

Supported and Unsupported Features of the Cisco ASA 1000V

VMware Feature Support for the ASA 1000V

Task Flow for Configuring the ASA 1000V

Cloning the ASA 1000V

Requirements for Cloning

Preparing the Master ASA 1000V

Cloning the Master

Licensing Enforcement for the ASA 1000V

Monitoring the ASA 1000V

ASDM Client Operating System and Browser Requirements

Firewall Functional Overview

Security Policy Overview

Permitting or Denying Traffic with AccessLists (Rules)

Applying NAT

Protection from IP Fragments

Applying Application Inspection

Applying Connection Limits and TCP Normalization

Failover Overview

Firewall Mode Overview

Stateful Inspection Overview

IPsec Site-to-Site VPN Functional Overview

Additional References


Introduction to the Cisco ASA 1000V


The ASA 1000V is an edge firewall virtual appliance that runs on VMware vSphere Hypervisor software and the Cisco Nexus 1000V switch exclusively. It allows Virtual Machines (VMs) in a virtual data center to access the Internet securely (including inter-tenant communications), functions as the default gateway for the VMs, and protects against network-based attacks.


Note This guide describes how to configure the ASA 1000V using ASDM mode (in this mode, you can use the ASA CLI); if you are using VNMC mode, see the VNMC documentation.


This chapter includes the following sections:

New Features in ASDM Version 6.7(1)

Supported and Unsupported Features of the Cisco ASA 1000V

VMware Feature Support for the ASA 1000V

Task Flow for Configuring the ASA 1000V

Cloning the ASA 1000V

Licensing Enforcement for the ASA 1000V

Monitoring the ASA 1000V

ASDM Client Operating System and Browser Requirements

Firewall Functional Overview

IPsec Site-to-Site VPN Functional Overview

Additional References

New Features in ASDM Version 6.7(1)

Table 1-1 lists the new features for ASDM Version 6.7(1).

Table 1-1 New Features for ASDM Version 6.7(1) 

Feature
Description
Platform Features

Support for the ASA 1000V

We introduced support for the ASA 1000V with the Cisco Nexus 1000V switch.

Cloning the ASA 1000V

You can add one or multiple instances of the ASA 1000V to your deployment using the method of cloning VMs.

Management Features

ASDM mode

You can configure, manage, and monitor the ASA 1000V using the Adaptive Security Device Manager (ASDM), which is the single GUI-based device manager for the ASA 1000V.

VNMC mode

You can configure and manage the ASA 1000V using the Cisco Virtual Network Management Center (VNMC), which is a GUI-based multi-device manager for multiple tenants.

XML APIs

You can configure and manage the ASA 1000V using XML APIs, which are application programmatic interfaces provided through the Cisco VNMC. This feature is only available in VNMC mode.

Firewall Features

Cisco VNMC access and configuration

Cisco VNMC access and configuration are required to create security profiles. You can configure access to the Cisco VNMC through the Configuration > Device Setup > Interfaces pane. Enter the login username and password, hostname, and shared secret to access the Cisco VNMC. Then you can configure security profiles and security profile interfaces. In VNMC mode, use the CLI to configure security profiles.

Security profiles and security profile interfaces

Security profiles are interfaces that correspond to an edge security profile that has been configured in Cisco VNMC and assigned in the Cisco Nexus 1000V VSM. Policies for through-traffic are assigned to these interfaces and the outside interface. You can add security profiles through the Configuration > Device Setup > Interfaces pane. You create the security profile by adding its name and selecting the service interface. ASDM then generates the security profile through the Cisco VNMC, assigns the security profile ID, and automatically generates a unique interface name. The interface name is used in the security policy configuration.

We introduced or modified the following screens:

Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add Security Profile
Monitoring > Interfaces > Security Profiles

Service interface

The service interface is the Ethernet interface associated with security profile interfaces. You can only configure one service interface, which must be the inside interface.

We modified the following screen: Configuration > Device Setup > Interfaces.

VNMC policy agent

The VNMC policy agent enables policy configuration through both the ASDM and VNMC modes. It includes a web server that receives XML-based requests from Cisco VNMC over HTTPS and converts it to the ASA 1000V configuration.

We modified the following screen: Configuration > Device Setup > Interfaces.


Supported and Unsupported Features of the Cisco ASA 1000V

The ASA 1000V supports a subset of features of the ASA. Table 1-2 lists the major supported features on the ASA 1000V.

Table 1-2 Major Supported Features on the ASA 1000V 

Feature
Description

AAA for management access

See Chapter 19 "Configuring Management Access."

Access rules

See Chapter 18 "Configuring Access Rules."

DHCP server, DHCP client, and DHCP relay

See Chapter 10 "Configuring DHCP."

DNS server for name resolution

See Chapter 9 "Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings."

Failover

Active/Standby only. See Chapter 7 "Configuring Active/Standby Failover."

Inspection engines

Except for GTP and IM inspection maps (deep packet inspection). See Chapter 22 "Getting Started with Application Layer Protocol Inspection," Chapter 23 "Configuring Inspection of Basic Internet Protocols," Chapter 24 "Configuring Inspection for Voice and Video Protocols," and Chapter 26 "Configuring Inspection for Management Application Protocols."

IP audit

See Chapter 28 "Using Protection Tools."

IPsec site-to-site VPN

Static tunnels only. See Chapter 28, "Configuring LAN-to-LAN IPsec VPNs."

NAT

See Chapter 14 "Information About NAT," Chapter 15 "Configuring Network Object NAT," and Chapter 16 "Configuring Twice NAT."

NTP and time zones

See Chapter 9 "Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings."

SNMP MIBs and traps

See Chapter 33 "Configuring SNMP."

SSH and Telnet

See Chapter 19 "Configuring Management Access."

Syslog messages (TCP and UDP)

See the syslog messages guide and Chapter 32 "Configuring Logging."

TCP intercept

See Chapter 27 "Configuring Connection Settings."


Table 1-3 lists the unsupported features on the ASA 1000V.


Note The commands associated with an unsupported feature are not supported at the CLI.


Table 1-3 Unsupported Features on the ASA 1000V 

Feature
Description

AAA for network access

Not supported.

Active/Active failover and subsecond failover

Not supported.

Authentication using certificates

Not supported.

Botnet traffic filter

Not supported.

Dynamic DNS

Not supported.

Dynamic routing

Not supported.

GTP/GTPRS (Mobile Service Providers)

Not supported.

HTTP inspection maps for deep-packet inspection

Not supported.

Identity firewall

Not supported.

Inbound PAT

Not supported.

IPS and CSC modules

Not supported.

IPv6

Not supported.

Multiple contexts

Not supported.

NetFlow

Not supported.

PPPoE/VPDN

Not supported.

QoS

Not supported.

Redundant interfaces, EtherChannel interfaces, and subinterfaces

Not supported.

Shun

Not supported.

Threat detection

Not supported.

Transparent mode

Not supported.

Unified communications

Not supported. (Includes TLS Proxy, Phone Proxy, Proxy Limit, and IME.)

URL filtering

Not supported.

VPN remote access

Not supported. (Includes Remote Access, Clientless (SSL) Access, Multi-site (SSL) Access, Easy VPN on the ASA 5505, VPN Phones, AnyConnect Essentials, and AnyConnect Mobile.)

WCCP

Not supported.


For more information about the ASA 1000V, see the following URL:

http://www.cisco.com/en/US/products/ps12233/index.html

VMware Feature Support for the ASA 1000V

Table 1-4 lists the VMware feature support for the ASA 1000V.

Table 1-4 VMware Feature Support for the ASA 1000V 

Feature
Description
Support (Yes/No)
Comment

Cold clone

The VM is powered off before cloning.

Yes

DRS

Used for dynamic resource scheduling and distributed power management.

Yes

Hot clone

The VM is running during cloning.

No

Snapshot

Freezes the VM for a few seconds. You may loose traffic. Failover may occur.

See comment.

Use with care.

VM migration

Used for VM migration.

Yes

vMotion

Used for live migration of VMs.

Yes

VMware FT

Used for HA for VMs.

No

Use ASA 1000V failover for ASA 1000V VM failures.

VMware HA

Used for ESX and server failures.

Yes

Use ASA 1000V failover for ASA 1000V VM failures.

VMware HA with VM heartbeats

Used for VM failures.

No

Use ASA 1000V failover for ASA 1000V VM failures.


Task Flow for Configuring the ASA 1000V

Table 1-5 lists the major tasks for configuring the ASA 1000V. This guide also includes other optional features not listed in this table.

Table 1-5 Task Flow for Configuring the ASA 1000V 

Task
Reference

1. Configuring the VSN.

See the Cisco Nexus 1000V Interface Configuration Guide.

2. Deploying the ASA 1000V.

See the Cisco ASA 1000V Getting Started Guide.

3. Connecting to the ASA 1000V user interface.

See Chapter 2 "Getting Started."

4. Configuring Active/Standby failover.

See Chapter 7 "Configuring Active/Standby Failover."

5. Configuring interfaces.

See Chapter 8 "Configuring Interfaces."

6. Configuring routing.

See Chapter 11 "Configuring Static and Default Routes."

7. Configuring service policies.

See Chapter 17 "Configuring a Service Policy."

8. Configuring access rules.

See Chapter 18 "Configuring Access Rules."


Cloning the ASA 1000V

You can deploy multiple instances of the ASA 1000V. You can add one or multiple instances of the ASA 1000V to your deployment by using either of the following methods:

Factory-shipped OVA template: This method enables you to clone multiple instances of the ASA 1000V with different sets of OVF deployment parameters. The ASA 1000Vs have blank configurations, and you obtain the required configuration settings for each instance from the OVF deployment parameters.

Configured OVA template: This method enables you to clone a previously configured OVA template. The ASA 1000Vs already have configurations, and you simply reapply the current OVF parameters. The result is that you can clone multiple instances of ready-to-use ASA 1000V instances with the required configurations.

VMware vSphere API: This method enables you to use application programmatic interfaces to clone an existing ASA 1000V and change the current configuration parameters for each new ASA 1000V instance.

Requirements for Cloning

This section includes the following topics:

Preparing the Master ASA 1000V

Cloning the Master

Preparing the Master ASA 1000V

To prepare the master ASA 1000V, perform the following steps:

1. Deploy the ASA 1000V, set up management routes, SSH access, the username and passwords, and ASDM access.

2. Register with the VNMC using the steps listed in the Cisco ASA 1000V Getting Stated Guide.

3. Save the running configuration to the startup configurtion using the write memory command.

4. It is critical that that you power off the ASA 1000V.


Note If you clone a powered-on ASA 1000V, there is a slight chance that the original ASA 1000V may crash right after the cloning is completed.


Cloning the Master

To clone the master ASA 1000V, perform the following steps:

1. Export the master ASA 1000V to an OVA template using the vSphere Client GUI or any other equivalent method. For example, you can use ovftool from VMware as follows:

ovftool vi://sample-vc50.example.com/performance-testbed/vm/ASA_1000V asa_master.ova 
 
   

Note Using VSphere 4.x to create an OVA template removes the vApp properties set in the master. This means that when the clone is deployed in Step 2, all vApp properties need to be specified.


2. Create a cloned ASA 1000V instance using the VSphere Client GUI or any other equivalent method. For example, you can use ovftool from VMware as follows:

ovftool --acceptAllEulas --datastore="datastore1 (1)" "--net:VM Network=525-net-vm" 
"--net:425-net-vm=60-net" "--net:60-net=425-net-vm" --prop:ManagementIPv4=2.2.2.5 
--prop:ManagementIPv4Gateway=2.2.2.2 --prop:ManagementIPv4Subnet=255.255.0.0 --name="ASA 
Clone 2 "  asa_master.ova 
vi://sample-vc50.example.com/performance-testbed/host/sample-esxhost.example.com/
 
   

It is important to change the Management interface IP address in the clone so that it becomes a separate instance. Otherwise, an IP address conflict will occur. All other vApp properties could be changed if different parameters need to be set. Note that if the OVA template is created using VSphere 4.x, then all vApp properties need to be specified in the clone, because these properties are not stored in the template.


Note The ovftool does not export default values if you are using an ESXi 4.1 deployment; however, an ESXi 5.0 deployment does support the export of default values.


The following is an example using ovftool from VMware to set all of the properties:

ovftool --acceptAllEulas --datastore="datastore1 (1)" "--net:VM Network=525-net-vm" 
"--net:425-net-vm=60-net" "--net:60-net=425-net-vm" --prop:ManagementIPv4=2.2.2.5 
--prop:ManagementIPv4Gateway=2.2.2.2 --prop:ManagementIPv4Subnet=255.255.0.0 
--prop:ASDMIPv4=0.0.0.0 --prop:HAActiveIPv4=0.0.0.0 --prop:HASubnetIPv4=0.0.0.0 
--prop:HAStandbyIPv4=0.0.0.0 --prop:ManagementStandbyIPv4=0.0.0.0 --prop:VNMCIPv4=0.0.0.0 
--name="ASA Clone 2 "  asa_master.ova 
vi://sample-vc50.example.com/performance-testbed/host/sample-esxhost.example.com/. 
 
   

Fields marked with 0.0.0.0 values should be set appropriately if used; otherwise, they can be set as 0.0.0.0.

3. Power on the clone.


Note Cloned ASA 1000Vs regenerate default RSA keypairs with the same settings and delete all other keys.


Licensing Enforcement for the ASA 1000V

The Nexus 1000V Virtual Service Module (VSM) requires a license that controls the number of CPU sockets on each Virtual Ethernet Module (VEM) used for the ASA 1000V. If the VSM does not have enough licenses, and you deploy an ASA 1000V without license support, then traffic is not allowed to pass through the ASA 1000V. This means the following:

For traffic passing from inside to outside, traffic never reaches the ASA 1000V. See syslog 4450002 for more information.

For traffic passing from outside to inside, the ASA 1000V allows the initial packet to pass through, but the vPath module on the Nexus 1000V rejects the packet, and the ASA 1000V deletes the flow. See syslog 4450002 for more information.

Monitoring the ASA 1000V

You can monitor the ASA 1000V in both ASDM mode and VNMC mode (by acessing the monitoring panes in ASDM in the read-only view), as well as through SSH, Telnet, or the console. The ASDM panes that we have introduced or modified for this platform are included in the feature history table at the end of the chapter for each individual feature in this guide.

ASDM Client Operating System and Browser Requirements

Table 1-6 lists the supported and recommended client operating systems and Java for the ASDM.

Table 1-6 Operating System and Browser Requirements 

Operating System
Browser
Sun Java SE Plug-in
Internet Explorer
Firefox 1
Chrome
Safari

Microsoft Windows (English and Japanese):

7

Vista

2008 Server

XP

6.0 or later1

1.5 or later

1.5 or later

No support

6.0

Apple Macintosh OS X:

10.72

10.6

10.5

10.4

No support

1.5 or later

1.5 or later

2.0 or later

6.0

Red Hat Enterprise Linux 5 (GNOME or KDE):

Desktop

Desktop with Workstation

N/A

1.5 or later

N/A

N/A

6.0

1 The ASDM requires an SSL connection from the browser to the ASA 1000V. By default, Internet Explorer on Windows Vista and later and Firefox on all operating systems do not support base encryption (DES) for SSL, and therefore require the ASA 1000V to have a strong encryption (3DES/AES) license. For Windows Internet Explorer, you can enable DES as a workaround. See http://support.microsoft.com/kb/929708 for details. For Firefox on any operating system, you can enable the security.ssl3.dhe_dss_des_sha setting as a workaround. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

2 You may be prompted to install Java the first time you run the ASDM; follow the prompts as necessary. The ASDM will launch after the installation completes.


Firewall Functional Overview

Firewalls protect inside networks from unauthorized access by users on an outside network. Firewalls enable you to control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out.

When describing networks connected to a firewall, the outside network is in front of the firewall, and the inside network is protected and behind the firewall. The ASA 1000V allows two data interfaces: one inside and one outside, plus a management interface and one interface for failover. The ASA 1000V allows the creation of multiple security profile interfaces to provide different security policies for the virtual machines (VMs) on the inside interface when they access the outside. (Traffic between VMs is controlled through the use of the Cisco VSG).

The maximum number of concurrent firewall connections allowed on the ASA 1000V is 200,000.

This section includes the following topics:

Security Policy Overview

Failover Overview

Firewall Mode Overview

Stateful Inspection Overview

Security Policy Overview

A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the ASA 1000V allows traffic to flow freely from a security profile interface on an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy.

This section includes the following topics:

Permitting or Denying Traffic with AccessLists (Rules)

Applying NAT

Protection from IP Fragments

Applying Application Inspection

Applying Connection Limits and TCP Normalization

Permitting or Denying Traffic with AccessLists (Rules)

You can apply an access rule to limit traffic from the inside security profile to the outside or to allow traffic from the outside to the inside security profile.

Applying NAT

Some of the benefits of NAT include the following:

You can use private addresses on your inside networks. Private addresses are not routable on the Internet.

NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.

NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protection from IP Fragments

The ASA 1000V provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA 1000V. Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The ASA 1000V uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack that is perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between the source and the destination.

TCP normalization is a feature that consists of advanced TCP connection settings designed to drop packets that do not appear normal.

Failover Overview

Configuring high availability requires two identical ASA 1000Vs connected to each other through a dedicated Stateful Failover link. The two ASA 1000Vs in a failover pair constantly communicate over a failover link to determine the operating status of each one. The health of the active interfaces is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

You can use the GigabitEthernet 0/2 interface on the ASA 1000V as the failover link. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the failover link (and optionally for the Stateful Failover link).

The ASA 1000V only supports Active/Standby failover, in which one ASA 1000V passes traffic while the other ASA 1000V waits in a standby state.

Firewall Mode Overview

The ASA 1000V runs only in routed firewall mode and is considered to be a router hop in the network.

Stateful Inspection Overview

All traffic that goes through the ASA 1000V is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet with the filter, which can be a slow process.


Note The TCP state bypass feature allows you to customize the packet flow. See the "TCP State Bypass" section.


A stateful firewall like the ASA 1000V, however, takes into consideration the state of a packet:

Is this a new connection?

If it is a new connection, the ASA 1000V has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the session management path, and depending on the type of traffic, it might also pass through the control plane path.

The session management path is responsible for the following tasks:

Performing the access list checks

Performing route lookups

Allocating NAT translations (xlates)

Establishing sessions in the fast path

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

Is this an established connection?

If the connection is already established, the ASA 1000V does not need to recheck packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks:

Verifying the IP checksum

Performing session lookups

Checking TCP sequence numbers

Allocating NAT translations based on existing sessions

Adjusting Layer 3 and Layer 4 headers

For UDP or other connectionless protocols, the ASA 1000V creates connection state information so that it can also use the fast path.

Data packets for protocols that require Layer 7 inspection can also go through the fast path.

Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

IPsec Site-to-Site VPN Functional Overview

A site-to-site (LAN-to-LAN) VPN connects networks in different geographic locations. The ASA 1000V supports IPsec site-to-site connections (called tunnels) to Cisco or third-party peers when the two peers have IPv4 inside and outside interfaces. IPsec tunnel mode is useful for protecting traffic between different networks when traffic must pass through an intermediate, untrusted network.

The supported protocols for IPsec site-to-site tunnels are IKEv1 and IKEv2 using a preshared key only. A preshared key or shared secret is the string of text that a VPN expects to receive before any other credentials (such as a username and password). Split tunnels are also supported and allow the network administrator to determine which traffic the client passes through the VPN tunnel and which traffic goes straight to the Internet (non-tunneled).

The supported tunnel modes are Encapsulating Security Payload (ESP) alone, and ESP and Authentication Header (AH) combined. AH tunnel mode encapsulates an IP packet with an AH and IP header and signs the entire packet for integrity and authentication. ESP tunnel mode encapsulates an IP packet with both an ESP and IP header and an ESP authentication trailer. ESP and AH can be combined when tunneling, which provides both security for the tunneled IP packet and integrity and authentication for the entire packet.

In addition, NAT traversal is supported and is used by IPsec site-to-site VPN clients to allow ESP packets to traverse NAT.

Additional References

For more information about the individual components that comprise the ASA 1000V, see the following documentation:

ASA 1000V
http://www.cisco.com/en/US/products/ps12233/tsd_products_support_series_home.html

ASDM
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

Cisco Nexus 1000V
http://www.cisco.com/en/US/products/ps9902/tsd_products_support_series_home.html

Cisco VNMC and Cisco VSG
http://www.cisco.com/en/US/products/ps11213/tsd_products_support_series_home.html

VMware
http://www.vmware.com/support/pubs/