In this article we will be setting up a Cisco ASAv appliance in Azure.
I’m going to assume you already have an Azure subscription and know your way (mostly) around. Awe don’t need anything specific setup already as we’ll do everything needed to get the appliance setup and able to login. Then we’ll go through some basic setup, routing some Azure traffic through the appliance.
If your looking for further information on the Azure side, and in particular with using networking appliances then you’ll probably want to search for using network virtual appliances (or sometimes labeled NVA).
Initial VM Deployment
To begin with login to portal.azure.com and in the top search box enter ‘marketplace’. In the marketplace search for ‘Cisco’ and you’ll see a bunch of Cisco appliances/services on offer. The one we are interested in is the Secure Firewall ASA virtual (as shown below).
Click Create, and on the screen that appears explaining more about this (and the cost) click Create.
Its worth pointing out here that this is purely for testing and proof of concept, this configuration is not for production use, we aren’t going to setup any HA or use availability zones.
Under Resource Group, click create new and enter a name, I’ll use ‘RG-CiscoASAv’.
Region: choose as required (UK South for me)
VM Name: choose as required (CiscoASAv)
Licensing: you can select PAYG to pay for the license as you go, or I’ve just selected BYOL but will be using the free evaluation license (this limits the bandwidth to 100Kbps, but that’s file for testing)
Software Version: I’ve left this at the newest (9.20.2.2 at time of writing)
Availability option: None
Username: enter and remember
Authentication Type: Password (or use whichever you prefer)
Enter password as required (and remember it)
Click Next for Cisco ASAv settings
I’ve left these as they are, this will create all the required items under our new resource group, created above so that we can clean up (to stop being charged) when we are ready.
You can see it’ll create a new VNet using 10.0.0.0/16 – you can edit this if you need but that is fine for this demo.
It’ll create 4 subnets all /24 the first being the ‘Management’ network and this will have the public IP address associated.
Reading the Cisco docs it says that the first interface is the only interface that can have a public IP address and is for management. This interface is also really the outside interface. The other interfaces will be configured as Inside and then if required other DMZ or whatever you need interfaces.
Once you are happy click next and create to begin the deployment. This usually takes about 5mins.
First Login to Cisco ASAv
Once the VM has completed deployment you should be able to find its Public IP address from the virtual machine summary page.
The first thing worth doing is going into the network security group and restricting the SSH port to your public IP address so that only you can SSH into the VM.
Also create a second entry for HTTPS (TCP/443) for access via the ASDM.
Click the networking tab (on the left)
Click the SSH rule and edit the source from ‘Any’ to IP Address, and enter your IP.
Click ‘Add inbound port rule’ and as with SSH, enter source, IP Address, enter your Public IP and then for destination select TCP and port 443 then give this a name ‘Allow-HTTPS-Inbound’ for example.
SSH to the appliance, if your using Windows use Putty, if MacOS you can just use the terminal.
Using MacOS as I am you’ll probably get an error:
To get around this use the switch -oHostKeyAlgorithms=+ssh-rsa as part of your SSH command
ssh <username>@<IPAddress> -oHostKeyAlgorithms=+ssh-rsa
ssh [email protected] -oHostKeyAlgorithms=+ssh-rsaOnce logged in we need to enter enable mode, enter ‘en’, you’ll be asked to create a password (and confirm)
Now in privilege mode we need to enter config mode, enter ‘configure terminal’ or ‘config t’ for short.
Now in config mode enter the following commands to enable the ASDM.
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 managementThe first command enables authentication on the ASDM to use the local database (the account setup on creation within Azure)
Second command enables the ASDM server, and the last command listens for ASDM (to all sources, but we restricted in within the Azure NSG above) on the management interface.
Type: ‘write mem’ to ensure the above is saved. You can now exit config mode by typing exit
ASDM Console
If you now enter the IP address into your web browser (https://<ip address>) you should get the ASDM web interface (where you can download the ASDM installer, a Java based applet)
Note: you will need to accept the certificate warnings.
Click Install ASDM and it’ll ask for your username and password (setup in Azure when we deployed the VM)
Launch the ASDM and you should get the following
Enter your username/password again and click Ok to load.
You may notice that the other interfaces are not showing, this is because by default they are shutdown. We need to enable them, give them DHCP addresses – this may seem strange, but in Azure, IP addresses are handled by the platform, if you want to make sure these are static, its done in the portal.
Click ‘Configuration’ at the top > expand ‘Interface Settings’ > Interfaces.
Click on Interface GigabitEthernet0/0 and click edit
Enter ‘inside’ as the Interface name
Security level: 100 (the highest level used for trusted inside)
Check Enable Interface
Select Obtain Address via DHCP
Click OK to save changes
Click Apply at the bottom for the changes to take affect
Conclusion
This is the basic setup of the Cisco ASAv appliance in Azure. This setup uses the first interface as the management and outside and enables the second interface as ‘inside’. The default route tables in Azure only point the other subnets back to the ASA, if you want to make the ASA your main egress for traffic, the route tables will need to add a default route for the ASA appliance. Then you’ll need to add access rules and NAT rules to the ASA appliance.
I’ll setup these extra settings in a separate post.