Table Of Contents

Introduction to the Cisco ASA 1000V

New Features in ASA 1000V Version 8.7(1)

Supported and Unsupported Features of the Cisco ASA 1000V

VMware Feature Support for the ASA 1000V

Task Flow for Configuring the ASA 1000V

Cloning the ASA 1000V

Requirements for Cloning

Preparing the Master ASA 1000V

Cloning the Master

Licensing Enforcement for the ASA 1000V

Configuration Examples for the ASA 1000V

Monitoring the ASA 1000V

Firewall Functional Overview

Security Policy Overview

Permitting or Denying Traffic with Access Lists (Rules)

Applying NAT

Protection from IP Fragments

Applying Application Inspection

Applying Connection Limits and TCP Normalization

Failover Overview

Firewall Mode Overview

Stateful Inspection Overview

IPsec Site-to-Site VPN Functional Overview

Additional References

Introduction to the Cisco ASA 1000V

---

The ASA 1000V is an edge firewall virtual appliance that runs on VMware vSphere Hypervisor software and the Cisco Nexus 1000V switch exclusively. It allows Virtual Machines (VMs) in a virtual data center to access the Internet securely (including inter-tenant communications), functions as the default gateway for the VMs, and protects against network-based attacks.

---

Note This guide describes how to configure the ASA 1000V using ASDM mode (in this mode, you can use the ASA CLI); if you are using VNMC mode, see the VNMC documentation.

---

This chapter includes the following sections:

•New Features in ASA 1000V Version 8.7(1)

•Supported and Unsupported Features of the Cisco ASA 1000V

•VMware Feature Support for the ASA 1000V

•Task Flow for Configuring the ASA 1000V

•Cloning the ASA 1000V

•Licensing Enforcement for the ASA 1000V

•Configuration Examples for the ASA 1000V

•Monitoring the ASA 1000V

•Firewall Functional Overview

•IPsec Site-to-Site VPN Functional Overview

•Additional References

New Features in ASA 1000V Version 8.7(1)

Table 1-1 lists the new features for ASA 1000V Version 8.7(1).

Table 1-1 New Features for ASA 1000V Version 8.7(1) 

Feature	Description
Platform Features
Support for the ASA 1000V	We introduced support for the ASA 1000V with the Cisco Nexus 1000V switch.
Cloning the ASA 1000V	You can add one or multiple instances of the ASA 1000V to your deployment using the method of cloning VMs.
Management Features
ASDM mode	You can configure, manage, and monitor the ASA 1000V using the Adaptive Security Device Manager (ASDM), which is the single GUI-based device manager for the ASA 1000V.
VNMC mode	You can configure and manage the ASA 1000V using the Cisco Virtual Network Management Center (VNMC), which is a GUI-based multi-device manager for multiple tenants.
XML APIs	You can configure and manage the ASA 1000V using XML APIs, which are application programmatic interfaces provided through the Cisco VNMC. This feature is only available in VNMC mode.
Firewall Features
Cisco VNMC access and configuration	Cisco VNMC access and configuration are required to create security profiles. You can configure access to the Cisco VNMC through the Configuration > Device Setup > Interfaces pane. Enter the login username and password, hostname, and shared secret to access the Cisco VNMC. Then you can configure security profiles and security profile interfaces. In VNMC mode, use the CLI to configure security profiles.
Security profiles and security profile interfaces	Security profiles are interfaces that correspond to an edge security profile that has been configured in Cisco VNMC and assigned in the Cisco Nexus 1000V VSM. Policies for through-traffic are assigned to these interfaces and the outside interface. You can add security profiles through the Configuration > Device Setup > Interfaces pane. You create the security profile by adding its name and selecting the service interface. ASDM then generates the security profile through the Cisco VNMC, assigns the security profile ID, and automatically generates a unique interface name. The interface name is used in the security policy configuration. We introduced or modified the following commands: interface security-profile, security-profile, mtu, vpath path-mtu, clear interface security-profile, clear configure interface security-profile, show interface security-profile, show running-config interface security-profile, show interface ip brief, show running-config mtu, show vsn ip binding, show vsn security-profile.
Service interface	The service interface is the Ethernet interface associated with security profile interfaces. You can only configure one service interface, which must be the inside interface. We introduced the following command: service-interface security-profile all.
VNMC policy agent	The VNMC policy agent enables policy configuration through both the ASDM and VNMC modes. It includes a web server that receives XML-based requests from Cisco VNMC over HTTPS and converts it to the ASA 1000V configuration. We introduced the following commands: vnmc policy-agent, login, shared-secret, registration host, vnmc org, show vnmc policy-agent, show running-config vnmc policy-agent, clear configure vnmc policy-agent.

Supported and Unsupported Features of the Cisco ASA 1000V

The ASA 1000V supports a subset of features of the ASA. Table 1-2 lists the major supported features on the ASA 1000V.

Table 1-2 Major Supported Features on the ASA 1000V 

Feature	Description
AAA for management access	See Chapter 17 "Configuring Management Access."
Access rules	See Chapter 16 "Configuring Access Rules."
DHCP server, DHCP client, and DHCP relay	See Chapter 6 "Configuring DHCP."
DNS server for name resolution	See Chapter 5 "Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings."
Failover	Active/Standby only. See Chapter 3 "Configuring Active/Standby Failover."
Inspection engines	Except for GTP and IM inspection maps (deep packet inspection). See Chapter 19 "Getting Started with Application Layer Protocol Inspection," Chapter 20 "Configuring Inspection of Basic Internet Protocols," Chapter 21 "Configuring Inspection for Voice and Video Protocols," and Chapter 23 "Configuring Inspection for Management Application Protocols."
IP audit	See Chapter 25 "Using Protection Tools."
IPsec site-to-site VPN	Static tunnels only. See Chapter 28 "Configuring LAN-to-LAN IPsec VPNs."
NAT	See Chapter 11 "Information About NAT," Chapter 12 "Configuring Network Object NAT," and Chapter 13 "Configuring Twice NAT."
NTP and time zones	See Chapter 5 "Configuring the Hostname, Domain Name, Passwords, and Other Basic Settings."
SNMP MIBs and traps	See Chapter 30 "Configuring SNMP."
SSH and Telnet	See Chapter 17 "Configuring Management Access."
Syslog messages (TCP and UDP)	See the syslog messages guide and Chapter 29 "Configuring Logging."
TCP intercept	See Chapter 24 "Configuring Connection Settings."

Table 1-3 lists the unsupported features on the ASA 1000V.

---

Note The commands associated with an unsupported feature are not supported at the CLI.

---

Table 1-3 Unsupported Features on the ASA 1000V 

Feature	Description
AAA for network access	Not supported.
Active/Active failover and subsecond failover	Not supported.
Authentication using certificates	Not supported.
Botnet traffic filter	Not supported.
Dynamic DNS	Not supported.
Dynamic routing	Not supported.
GTP/GTPRS (Mobile Service Providers)	Not supported.
HTTP inspection maps for deep-packet inspection	Not supported.
Identity firewall	Not supported.
Inbound PAT	Not supported.
IPS and CSC modules	Not supported.
IPv6	Not supported.
Multiple contexts	Not supported.
NetFlow	Not supported.
PPPoE/VPDN	Not supported.
QoS	Not supported.
Redundant interfaces, EtherChannel interfaces, and subinterfaces	Not supported.
Shun	Not supported.
Threat detection	Not supported.
Transparent mode	Not supported.
Unified communications	Not supported. (Includes TLS Proxy, Phone Proxy, Proxy Limit, and IME.)
URL filtering	Not supported.
VPN remote access	Not supported. (Includes Remote Access, Clientless (SSL) Access, Multi-site (SSL) Access, Easy VPN on the ASA 5505, VPN Phones, AnyConnect Essentials, and AnyConnect Mobile.)
WCCP	Not supported.

For more information about the ASA 1000V, see the following URL:

http://www.cisco.com/en/US/products/ps12233/index.html

VMware Feature Support for the ASA 1000V

Table 1-4 lists the VMware feature support for the ASA 1000V.

Table 1-4 VMware Feature Support for the ASA 1000V 

Feature	Description	Support (Yes/No)	Comment
Cold clone	The VM is powered off before cloning.	Yes	—
DRS	Used for dynamic resource scheduling and distributed power management.	Yes	—
Hot clone	The VM is running during cloning.	No	—
Snapshot	Freezes the VM for a few seconds. You may loose traffic. Failover may occur.	See comment.	Use with care.
VM migration	Used for VM migration.	Yes	—
vMotion	Used for live migration of VMs.	Yes	—
VMware FT	Used for HA for VMs.	No	Use ASA 1000V failover for ASA 1000V VM failures.
VMware HA	Used for ESX and server failures.	Yes	Use ASA 1000V failover for ASA 1000V VM failures.
VMware HA with VM heartbeats	Used for VM failures.	No	Use ASA 1000V failover for ASA 1000V VM failures.

Task Flow for Configuring the ASA 1000V

Table 1-5 lists the major tasks for configuring the ASA 1000V. This guide also includes other optional features not listed in this table.

Table 1-5 Task Flow for Configuring the ASA 1000V 

Task	Reference
1. Configuring the VSN.	See the Cisco Nexus 1000V Interface Configuration Guide.
2. Deploying the ASA 1000V.	See the Cisco ASA 1000V Getting Started Guide.
3. Connecting to the ASA 1000V user interface.	See Chapter 2 "Getting Started."
4. Configuring Active/Standby failover.	See Chapter 3 "Configuring Active/Standby Failover."
5. Configuring interfaces.	See Chapter 4 "Configuring Interfaces."
6. Configuring routing.	See Chapter 7 "Configuring Static and Default Routes."
7. Configuring service policies.	See Chapter 14 "Configuring a Service Policy Using the Modular Policy Framework."
8. Configuring access rules.	See Chapter 16 "Configuring Access Rules."

Cloning the ASA 1000V

You can deploy multiple instances of the ASA 1000V. You can add one or multiple instances of the ASA 1000V to your deployment by using either of the following methods:

•Factory-shipped OVA template: This method enables you to clone multiple instances of the ASA 1000V with different sets of OVF deployment parameters. The ASA 1000Vs have blank configurations, and you obtain the required configuration settings for each instance from the OVF deployment parameters.

•Configured OVA template: This method enables you to clone a previously configured OVA template. The ASA 1000Vs already have configurations, and you simply reapply the current OVF parameters. The result is that you can clone multiple instances of ready-to-use ASA 1000V instances with the required configurations.

•VMware vSphere API: This method enables you to use application programmatic interfaces to clone an existing ASA 1000V and change the current configuration parameters for each new ASA 1000V instance.

Requirements for Cloning

This section includes the following topics:

•Preparing the Master ASA 1000V

•Cloning the Master

Preparing the Master ASA 1000V

To prepare the master ASA 1000V, perform the following steps:

1. Deploy the ASA 1000V, set up management routes, SSH access, the username and passwords, and ASDM access.

2. Register with the VNMC using the steps listed in the Cisco ASA 1000V Getting Stated Guide.

3. Save the running configuration to the startup configurtion using the write memory command.

4. It is critical that that you power off the ASA 1000V.

---

Note If you clone a powered-on ASA 1000V, there is a slight chance that the original ASA 1000V may crash right after the cloning is completed.

---

Cloning the Master

To clone the master ASA 1000V, perform the following steps:

1. Export the master ASA 1000V to an OVA template using the vSphere Client GUI or any other equivalent method. For example, you can use ovftool from VMware as follows:

ovftool vi://sample-vc50.example.com/performance-testbed/vm/ASA_1000V asa_master.ova 

---

Note Using VSphere 4.x to create an OVA template removes the vApp properties set in the master. This means that when the clone is deployed in Step 2, all vApp properties need to be specified.

---

2. Create a cloned ASA 1000V instance using the VSphere Client GUI or any other equivalent method. For example, you can use ovftool from VMware as follows:

ovftool --acceptAllEulas --datastore="datastore1 (1)" "--net:VM Network=525-net-vm" 
"--net:425-net-vm=60-net" "--net:60-net=425-net-vm" --prop:ManagementIPv4=2.2.2.5 
--prop:ManagementIPv4Gateway=2.2.2.2 --prop:ManagementIPv4Subnet=255.255.0.0 --name="ASA 
Clone 2 "  asa_master.ova 
vi://sample-vc50.example.com/performance-testbed/host/sample-esxhost.example.com/

It is important to change the Management interface IP address in the clone so that it becomes a separate instance. Otherwise, an IP address conflict will occur. All other vApp properties could be changed if different parameters need to be set. Note that if the OVA template is created using VSphere 4.x, then all vApp properties need to be specified in the clone, because these properties are not stored in the template.

---

Note The ovftool does not export default values if you are using an ESXi 4.1 deployment; however, an ESXi 5.0 deployment does support the export of default values.

---

The following is an example using ovftool from VMware to set all of the properties:

ovftool --acceptAllEulas --datastore="datastore1 (1)" "--net:VM Network=525-net-vm" 
"--net:425-net-vm=60-net" "--net:60-net=425-net-vm" --prop:ManagementIPv4=2.2.2.5 
--prop:ManagementIPv4Gateway=2.2.2.2 --prop:ManagementIPv4Subnet=255.255.0.0 
--prop:ASDMIPv4=0.0.0.0 --prop:HAActiveIPv4=0.0.0.0 --prop:HASubnetIPv4=0.0.0.0 
--prop:HAStandbyIPv4=0.0.0.0 --prop:ManagementStandbyIPv4=0.0.0.0 --prop:VNMCIPv4=0.0.0.0 
--name="ASA Clone 2 "  asa_master.ova 
vi://sample-vc50.example.com/performance-testbed/host/sample-esxhost.example.com/. 

Fields marked with 0.0.0.0 values should be set appropriately if used; otherwise, they can be set as 0.0.0.0.

3. Power on the clone.

---

Note Cloned ASA 1000Vs regenerate default RSA keypairs with the same settings and delete all other keys.

---

Licensing Enforcement for the ASA 1000V

The Nexus 1000V Virtual Service Module (VSM) requires a license that controls the number of CPU sockets on each Virtual Ethernet Module (VEM) used for the ASA 1000V. If the VSM does not have enough licenses, and you deploy an ASA 1000V without license support, then traffic is not allowed to pass through the ASA 1000V. This means the following:

•For traffic passing from inside to outside, traffic never reaches the ASA 1000V. See syslog 4450002 for more information.

•For traffic passing from outside to inside, the ASA 1000V allows the initial packet to pass through, but the vPath module on the Nexus 1000V rejects the packet, and the ASA 1000V deletes the flow. See syslog 4450002 for more information.

Configuration Examples for the ASA 1000V

Specific feature configuration examples are provided in the Cisco ASA 1000V Getting Started Guide.

Monitoring the ASA 1000V

You can monitor the ASA 1000V in both ASDM mode and VNMC mode (by acessing the monitoring panes in ASDM in the read-only view), as well as through SSH, Telnet, or the console. The ASA 1000V commands that we have introduced or modified for this platform are included in the feature history table at the end of the chapter for each individual feature in this guide.

Firewall Functional Overview

Firewalls protect inside networks from unauthorized access by users on an outside network. Firewalls enable you to control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out.

When describing networks connected to a firewall, the outside network is in front of the firewall, and the inside network is protected and behind the firewall. The ASA 1000V allows two data interfaces: one inside and one outside, plus a management interface and one interface for failover. The ASA 1000V allows the creation of multiple security profile interfaces to provide different security policies for the virtual machines (VMs) on the inside interface when they access the outside. (Traffic between VMs is controlled through the use of the Cisco VSG).

The maximum number of concurrent firewall connections allowed on the ASA 1000V is 200,000.

This section includes the following topics:

•Security Policy Overview

•Failover Overview

•Firewall Mode Overview

•Stateful Inspection Overview

Security Policy Overview

A security policy determines which traffic is allowed to pass through the firewall to access another network. By default, the ASA 1000V allows traffic to flow freely from a security profile interface on an inside network (higher security level) to an outside network (lower security level). You can apply actions to traffic to customize the security policy.

This section includes the following topics:

•Permitting or Denying Traffic with Access Lists (Rules)

•Applying NAT

•Protection from IP Fragments

•Applying Application Inspection

•Applying Connection Limits and TCP Normalization

Permitting or Denying Traffic with Access Lists (Rules)

You can apply an access rule to limit traffic from the inside security profile to the outside or to allow traffic from the outside to the inside security profile.

Applying NAT

Some of the benefits of NAT include the following:

•You can use private addresses on your inside networks. Private addresses are not routable on the Internet.

•NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host.

•NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protection from IP Fragments

The ASA 1000V provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA 1000V. Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.

Applying Application Inspection

Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports.

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The ASA 1000V uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack that is perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between the source and the destination.

TCP normalization is a feature that consists of advanced TCP connection settings designed to drop packets that do not appear normal.

Failover Overview

Configuring high availability requires two identical ASA 1000Vs connected to each other through a dedicated Stateful Failover link. The two ASA 1000Vs in a failover pair constantly communicate over a failover link to determine the operating status of each one. The health of the active interfaces is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.

You can use the GigabitEthernet 0/2 interface on the ASA 1000V as the failover link. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the failover link (and optionally for the Stateful Failover link).

The ASA 1000V only supports Active/Standby failover, in which one ASA 1000V passes traffic while the other ASA 1000V waits in a standby state.

Firewall Mode Overview

The ASA 1000V runs only in routed firewall mode and is considered to be a router hop in the network.

Stateful Inspection Overview

All traffic that goes through the ASA 1000V is inspected using the Adaptive Security Algorithm and either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet with the filter, which can be a slow process.

---

Note The TCP state bypass feature allows you to customize the packet flow. See the "TCP State Bypass" section.

---

A stateful firewall like the ASA 1000V, however, takes into consideration the state of a packet:

•Is this a new connection?

If it is a new connection, the ASA 1000V has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the session management path, and depending on the type of traffic, it might also pass through the control plane path.

The session management path is responsible for the following tasks:

–Performing the access list checks

–Performing route lookups

–Allocating NAT translations (xlates)

–Establishing sessions in the fast path

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

•Is this an established connection?

If the connection is already established, the ASA 1000V does not need to recheck packets; most matching packets can go through the fast path in both directions. The fast path is responsible for the following tasks:

–Verifying the IP checksum

–Performing session lookups

–Checking TCP sequence numbers

–Allocating NAT translations based on existing sessions

–Adjusting Layer 3 and Layer 4 headers

For UDP or other connectionless protocols, the ASA 1000V creates connection state information so that it can also use the fast path.

Data packets for protocols that require Layer 7 inspection can also go through the fast path.

Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

IPsec Site-to-Site VPN Functional Overview

A site-to-site (LAN-to-LAN) VPN connects networks in different geographic locations. The ASA 1000V supports IPsec site-to-site connections (called tunnels) to Cisco or third-party peers when the two peers have IPv4 inside and outside interfaces. IPsec tunnel mode is useful for protecting traffic between different networks when traffic must pass through an intermediate, untrusted network.

The supported protocols for IPsec site-to-site tunnels are IKEv1 and IKEv2 using a preshared key only. A preshared key or shared secret is the string of text that a VPN expects to receive before any other credentials (such as a username and password). Split tunnels are also supported and allow the network administrator to determine which traffic the client passes through the VPN tunnel and which traffic goes straight to the Internet (non-tunneled).

The supported tunnel modes are Encapsulating Security Payload (ESP) alone, and ESP and Authentication Header (AH) combined. AH tunnel mode encapsulates an IP packet with an AH and IP header and signs the entire packet for integrity and authentication. ESP tunnel mode encapsulates an IP packet with both an ESP and IP header and an ESP authentication trailer. ESP and AH can be combined when tunneling, which provides both security for the tunneled IP packet and integrity and authentication for the entire packet.

In addition, NAT traversal is supported and is used by IPsec site-to-site VPN clients to allow ESP packets to traverse NAT.

Additional References

For more information about the individual components that comprise the ASA 1000V, see the following documentation:

•ASA 1000V
http://www.cisco.com/en/US/products/ps12233/tsd_products_support_series_home.html

•ASDM
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

•Cisco Nexus 1000V
http://www.cisco.com/en/US/products/ps9902/tsd_products_support_series_home.html

•Cisco VNMC and Cisco VSG
http://www.cisco.com/en/US/products/ps11213/tsd_products_support_series_home.html

•VMware
http://www.vmware.com/support/pubs/