Deploying the Cisco ASA 1000V
This chapter includes the following sections:
•Information About the ASA 1000V Deployment
•Downloading the ASA 1000V OVA File
•Deploying the ASA 1000V Using the VMware vSphere Client
•Powering On the ASA 1000V
•Setting Up ASDM to Be Used by the ASA 1000V
•Configuring SSH Access for the ASA 1000V
•Other Configurations that Might Be Required
•What to Do Next
Information About the ASA 1000V Deployment
This section includes the following topics:
•About the ASA 1000V Management Modes
•Sequence for Configuring the ASA 1000V Using Cisco VNMC
•Sequence for Configuring the ASA 1000V Through ASDM
About the ASA 1000V Management Modes
When you deploy the ASA 1000V, you must choose the management mode: either the Cisco VNMC or ASDM management mode.
Note Each management mode is mutually exclusive; you cannot use the Cisco VNMC and ASDM management mode on the same deployment.
After deploying the ASA 1000V, you cannot change the management mode without redeploying the ASA 1000V with the VMware vSphere Client.
When the ASA 1000V deployment consists of a failover pair, both the primary and secondary ASA 1000V must use the same management mode.
Determining Which Management Mode to Configure for the ASA 1000V
Configure the ASA 1000V to use VNMC management mode when you plan to do the following tasks with the ASA 1000V:
•Use a single graphical user interface to manage Cisco VSG, ASA 1000V, and other cloud products from Cisco.
•Manage many ASA 1000Vs from a single management station.
•Provide tenant access to policies through RBAC in a multitenant data center.
•Share policies between devices (rapid provisioning of policies).
•Use model-based policies and the XML API to configure the ASA 1000V.
Table 2-1 provides a detailed list of the benefits of using Cisco VNMC as your management mode for the ASA 1000V.
Table 2-1 Benefits of Using VNMC Management Mode
Multiple Device Management
Cisco VNMC provides central management of Cisco ASA 1000V and Cisco VSG for Cisco Nexus 1000V Series Switches.
Simplifies provisioning and troubleshooting in a scaled-out data center.
Edge Security Profiles
An edge security profile represents the Cisco ASA 1000V security policy configuration in a profile.
Simplifies provisioning, reduces administrative errors during security policy changes, reduces audit complexities, and enables a highly scaled-out data center environment.
Dynamic Security Policy and Zone Provisioning
Cisco VNMC interacts with the Cisco Nexus 1000V Series VSM to bind the edge security profile to the corresponding Cisco Nexus 1000V series port profile. When virtual machines are dynamically instantiated by server administrators and appropriate port profiles are applied, their association with trust zones is also established.
Helps enable edge security profiles to stay aligned with rapid changes in the virtual data center.
Multitenant (Scale-out) Management
Cisco VNMC is designed to manage security policies for Cisco ASA 1000V and Cisco VSG in a dense, multitenant environment so that administrators can quickly add and delete tenants and update tenant-specific configurations and security policies.
Simplifies management of a highly dynamic virtual environment, reduces administrative errors, helps ensure the segregation of duties in administrative teams, and simplifies audit procedures.
Role-based Access Control (RBAC)
RBAC simplifies operation tasks across different types of administrators, while allowing subject-matter experts to continue with their normal procedures.
•Reduces administrative errors.
•Enables detailed control of user privileges.
•Simplifies auditing requirements.
The Cisco VNMC XML API allows external system management and orchestration tools to programmatically provision the ASA 1000V and Cisco VSG.
•Allows use of best-in-class management software.
•Offers transparent and scalable operation management.
Context-aware Security Policies
Cisco VNMC obtains virtual machine contexts from VMware vCenter.
Allows security administrators to institute highly specific policy controls across the entire virtual infrastructure based on VM attributes for Cisco VSG.
If you selected the Cisco VNMC as the management mode (this is the default setting during deployment), see the Cisco Virtual Network Management Center 2.0 User Guide for additional information after completing the procedures in this guide.
Configure the ASA 1000V to use the ASDM management mode when you plan to do the following tasks with the ASA 1000V:
•Manage one device at a time using the familiar ASA configuration.
•Configure policies through the ASA 1000V CLI.
If you selected the ASDM as the management mode for the ASA 1000V, use the Cisco ASA 1000V ASDM Configuration Guide or the Cisco ASA 1000V CLI Configuration Guide for the procedures to configure security policies. Selecting the ASDM mode also allows access to the ASA 1000V CLI.
Sequence for Configuring the ASA 1000V Using Cisco VNMC
Figure 2-1 describes the configuration steps for the ASA 1000V when using the VNMC management mode.
Figure 2-1 Configuring the ASA 1000V by Using Cisco VNMC
For information about completing task 1, see the "Deploying the ASA 1000V Using the VMware vSphere Client" section and "Registering the ASA 1000V with the Cisco VNMC" section.
For information about completing tasks 2 through 3 in the Cisco VNMC, see the Cisco Virtual Network Management Center 2.0 Quick Start Guide or the Cisco Virtual Network Management Center 2.0 GUI Configuration Guide.
For information about completing tasks 4 through 5 in the Cisco VNMC, see the Cisco Virtual Network Management Center 2.0 GUI Configuration Guide.
For information about tasks 6 through 9, see the "Adding the ASA 1000V as an Edge Firewall in the Cisco VNMC" section.
For information about task 10, see the "Configuring Security Profiles in VSM" section.
Sequence for Configuring the ASA 1000V Through ASDM
Figure 2-2 describes the configuration steps for the ASA 1000V when using the ASDM management mode.
Figure 2-2 Configuring the ASA 1000V by Using ASDM
For information about task 1, see the"Deploying the ASA 1000V Using the VMware vSphere Client" section. and "Registering the ASA 1000V Using ASDM" section.
For information about adding a user account in VNMC in task 2, see the following guide:
Cisco VNMC GUI Configuration Guide
Note You can use the administrator account that you created while installing VNMC.
For information about task 3, see the "Registering the ASA 1000V Using ASDM" section.
For information about task 4, see the "Creating and Configuring Edge Security Profiles in ASDM" section.
For information about task 5, see the "Configuring Security Profiles in VSM" section.
Downloading the ASA 1000V OVA File
You deploy the ASA 1000V by downloading and installing the open virtualization format archive (OVA) file provided by Cisco. The OVA file provides for the optimal VM resources (vCPU, memory and MHz) for the ASA 1000V. The OVA file contains the ASA 1000V image for installation.
Step 1 Go to the following URL:
The Download > Select a Product page appears.
Step 2 Click Cisco ASA 1000V Cloud Firewall. The Download Software page appears for the ASA 1000V.
Step 3 Click Download.
Step 4 If prompted, log into your Cisco.com account with your CCO username and password.
Step 5 Follow the prompts to download the OVA file for the ASA 1000V to your local drive.
Deploying the ASA 1000V Using the VMware vSphere Client
To deploy the ASA 1000V, use the VMware vSphere Client and a template file in the open virtualization format (OVF). You use the Deploy OVF Template wizard in the vSphere Client to deploy the Cisco package for the ASA 1000V. Running wizard parses the ASA 1000V OVF file, creates the virtual machine on which you will run the ASA 1000V, and installs the package.
Most of the wizard steps are standard for VMware, with the exception of the configuration settings that are applied to the ASA 1000V before it boots up.
Note During OVF template file deployment, 2 GB of storage is allotted to maintain system, configuration, and image files on the ASA 1000V. These files appear in disk0: on the ASA 1000V.
For additional information about the Deploy OVF Template, see the VMware vSphere Client help.
Note When you deploy the ASA 1000V using ASDM Management mode, all clients from the locally connected subnet of the management interface are allowed by default.
Collect the following information for the deployment. The ASA 1000V deployment requires that you enter this information at specific deployment steps.
•The username and password login for the Cisco VNMC (required when configuring ASA 1000V in ASDM mode)
•The shared secret configured on Cisco VNMC for the ASA 1000V deployment
•The ASA 1000V management IP, management subnet mask, and management gateway IP address
•The Management Gateway IP address when Cisco VNMC is not directly connected to the management network of the ASA 1000V
When Cisco VNMC is directly connected to the network, skip this entry.
Step 1 Launch the VMware vSphere Client and choose File > Deploy OVF Template.
The Deploy OVF Template wizard appears.
Step 2 In the Deploy from a file or URL field, browse to the ASA 1000V OVF package that you downloaded, then click Next.
Step 3 In the OVF Template Details page, review the information for the ASA 1000V package, then click Next.
Step 4 Review and accept the End User License Agreement, then click Next.
Step 5 In the Name field, enter a name for the ASA 1000V virtual machine (VM) instance, choose the inventory location for the VM, then click Next.
Step 6 Choose one of the following deployment configurations for the ASA 1000V, then click Next:
•Deploy ASA as Standalone—Failover is not configured for the ASA 1000V.
•Deploy ASA as Primary—The ASA 1000V is configured as the primary unit for failover.
•Deploy ASA as Secondary—The ASA 1000V is configured as the secondary unit for failover.
Choosing the type of deployment configures the ASA 1000V as a standalone deployment or for failover as part of a failover pair.
Step 7 Choose the host or cluster on which you want to run the ASA 1000V, then click Next.
Step 8 Choose the datastore on the host or cluster on which you want to maintain the ASA 1000V files, then click Next. Each hard disk on the physical device shows up as a datastore.
Step 9 Choose the disk storage format, then click Next.
Step 10 Choose the port profiles that you want to use for the ASA 1000V interfaces by mapping the networks used in the OVF template to networks in your inventory. You created these port profiles when installing the Nexus 1000V.
Note If you did not create the port profiles, pause the ASA 1000V deployment, return to the VSM console, create the required port profiles for the four ASA 1000V interfaces: inside, outside, management, and high availability (failover). For detailed information, see the "Predeployment Task Flow" section in Step 5. After the port profiles have been created, return to the ASA 1000V deployment. Then click Next.
Note After deploying the ASA 1000V, network adapters are created in the following order:
Network Adapter1—Management 0/0
Network Adapter2—GigabitEthernet 0/0 (used as the inside interface)
Network Adapter3—GigabitEthernet 0/1 (used as the outside interface)
Network Adapter4—GigabitEthernet 0/2 (used as the failover interface)
The port profiles are obtained through the VMware vCenter Server connection to the Cisco Nexus 1000V Virtual Supervisor Module (VSM).
Step 11 Set the following configuration properties that are applied to the ASA 1000V before it boots up, then click Next:
•Management Interface DHCP mode
•Management IP Address
•Management IP Subnet Mask
•Management IP Standby Address
Note When configuring these management address properties, choose whether to configure Interface DHCP mode, or IP Address, IP Subnet Mask, or IP Standby Address.
•Choose the device manager.
Note The management mode cannot be changed later without deleting the entire configuration and rerunning the Deploy OVA Template wizard. When deploying the ASA 1000V in failover configuration, both the primary and secondary units must be configured using the same management mode.
•Cisco VNMC IP Address
Note If you are configuring the ASA 1000V for a failover deployment, you must also configure failover specific information, such as the failover IP address, standby IP address, and the subnet mask information. For a standalone deployment, leave these parameters blank.
Step 12 Review the summary of the ASA 1000V configuration, then click Finish.
The ASA 1000V VM instance appears under the specified data center.
After deploying the ASA 1000V using an OVF file, you can still run the ASA 1000V setup command at the CLI to complete configuration options you might have skipped in this procedure. See the Command Reference for more information.
Completing this procedure does not result in a functionally deployed ASA 1000V until you configure the device enable password, the Cisco VNMC shared secret, and the Cisco VNMC user account (for ASDM mode only).
Powering On the ASA 1000V
Step 1 From the VMware vSphere Client, right-click the ASA 1000V instance that you have deployed in the Hosts and Clusters view.
Step 2 Choose Power > Power On.
Step 3 Navigate to the ASA 1000V Console tab in the right pane.
The ASA 1000V bootstraps platform information from the OVF file when first powered on. The ASA 1000V reboots automatically after this bootstrap and initializes for use. The initial boot reads parameters provided through the OVF file and adds them to the ASA 1000V system configuration. The OVF parameters are not read afterwards. Subsequent reboots will behave normally.
Setting Up ASDM to Be Used by the ASA 1000V
You can set up ASDM to be used by the ASA 1000V when it is configured for either VNMC management mode or ASDM management mode. When the ASA 1000V is configured to use VNMC management mode, you can still use ASDM to monitor the status of the ASA 1000V, but you cannot use it to manage configurations.
Step 1 Launch the ASA 1000V console from the VMware vSphere Client.
Step 2 Add a route on the management interface to the ASDM client subnet by issuing the following command:
ASA1000V(config)# route interface ip subnet next hop ip
Where interface is the management interface to the ASDM client subnet, ip is the IP address and subnet of the host that accesses ASDM, subnet is the ASDM client subnet, and next hop ip is the IP address of the gateway.
Note Perform this step only if the next hop gateway IP address was not specified when deploying the ASA 1000V.
Step 3 Allow HTTP access via the management interface for the ASDM client subnet by entering the following command:
ASA1000V(config)# http ip subnet interface
Where ip is the IP address of the host that accesses ASDM, subnet provides the subnet mask of a host that can access the HTTP server. and interface is the ASDM client interface.
Note Perform this step only if the ASDM client IP address was not specified when deploying the ASA 1000V.
Configuring SSH Access for the ASA 1000V
Configure SSH access with LOCAL authentication so that you can access the ASA 1000V.
Step 1 Launch the ASA 1000V console from the VMware vSphere Client.
Step 2 Create a user name by entering the following command:
username name password password privilege priv_level
For example, enter the following command:
admin password 12345678 privilege 15
Step 3 Enable LOCAL SSH authentication by entering the aaa authentication console command:
aaa authentication ssh console LOCAL
Step 4 Enable SSH by entering the following command:
ssh ip_address mask management
For example, enter the following command:
ssh 220.127.116.11 255.255.255.255 management
Note When you deploy the ASA 1000V, the deployment process automatically generates RSA key pairs for identity certificates; however, you can remove the default key pairs by using the crypto key zeroize rsa command and generate new key pairs by using crypto key generate rsa command.
Other Configurations that Might Be Required
Depending on your environment, you might be required to perform these additional configuration tasks:
•Configure routes through the management interface by using the route command. Routes through the inside and outside interfaces are configured by using Cisco VNMC. You must name the management0/0 interface
management (case sensitive).
•Enable failover for the ASA 1000V. See the Cisco ASA 1000V CLI Configuration Guide for information.
What to Do Next
If you deployed the ASA 1000V to use the VNMC management mode, see the Chapter 3 "Setting Up the ASA 1000V Using VNMC Mode."
If you deployed the ASA 1000V to use the ASDM management mode, see Chapter 4 "Configuring the ASA 1000V Using ASDM."
For information about troubleshooting your ASA 1000V deployment, see the Cisco ASA 1000V Troubleshooting Guide at ASA 1000V Documentation.