Video game design employment outlook

Cisco ASAv Vagrant box for VMware Fusion

Cisco ASAv Vagrant box for VMware Fusion

My previous post detailed the steps for creating a Cisco IOSv Vagrant box for VMware Fusion. This post will follow a similar method for the Cisco Adaptive Security Virtual Appliance (ASAv).

Ingredients used in this guide:

• OS X 10.11 (El Capitan)
• VMware Fusion 8.1.1 Professional
• Vagrant 1.8.4
• VMware provider for Vagrant
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Java SE Runtime Environment (for Cisco ASDM)

01. Sign in to your Cisco account to download the ASAv package.
Note: A valid service contract is required for the download.

• Sign in here.
• Select the Download Software link.
• Select the Adaptive Security Appliance (ASA) Software link.
• Select the version from the menu on the left. For my example, I will be using the 9.6.1 version.
• Click the Download button for Cisco Adaptive Security Virtual Appliance VMWare Package for the Cisco ASAv Virtual Firewall.
• Save the asav961.zip file to the Downloads folder.
• Double-click the asav961.zip file to uncompress (expand) it.

02. Create the Cisco ASAv base.

• Open the VMware Fusion application.
• Click File -> Import... from the VMware Fusion menu bar.
• Click the Choose File... button.
• Navigate to and select the asav-esxi.ovf file in the asav961 folder.
• Click the Open button.
• Click the Continue button.
• Save As: ASAv-961
• Click the Save button.
• Click the Accept button for the EULA.
• Click the Customize Settings button to modify the virtual appliance settings.
• Set Network Adapter to Share with my Mac.
• Remove Network Adapter 2 to Network Adapter 10.
• Uncheck Connect CD/DVD Drive for CD/DVD (IDE).
• Upgrade the VM hardware version to 12 (Compatibility -> Upgrade).
• Close the Settings window.
• Close the VMware Fusion application.

03. Add a custom serial port (for management via console connection).
From a terminal, append a serial port device to the virtual appliance configuration file.

$ printf serial0.present = "TRUE" serial0.yieldOnMsrRead = "TRUE" serial0.fileType = "network" serial0.fileName = "telnet://127.0.0.1:52099" >> $HOME/Documents/Virtual Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx

Verify the component has been added.

$ tail -4 $HOME/Documents/Virtual Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx
serial0.present = "TRUE"
serial0.yieldOnMsrRead = "TRUE"
serial0.fileType = "network"
serial0.fileName = "telnet://127.0.0.1:52099"

04. Start the virtual appliance.
From a terminal, start the virtual appliance with the vmrun command.

$ /Applications/VMware Fusion.app/Contents/Library/vmrun start $HOME/Documents/Virtual Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx

Note: An automatic reboot will be performed after initialization.
05. Configure a network serial port for the virtual appliance.
We need to instruct the ASAv to redirect the output from the VMware console (default) to the serial port. Enter the following commands in the VMware console:

ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# cd coredumpinfo
ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0
ciscoasa(config)# reload save-config noconfirm

06. Initiate a console connection (via Telnet) to the ASAv virtual appliance.
Open a separate terminal window (or tab) and enter the following command:

$ telnet 127.0.0.1 52099

07. Establish a baseline configuration for the Vagrant box.
Create the vagrant user.

ciscoasa> en
ciscoasa# conf t
ciscoasa(config)# username vagrant password vagrant privilege 15
ciscoasa(config)# username vagrant attributes
ciscoasa(config-username)# service-type admin
ciscoasa(config-username)# ssh authentication publickey AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==
ciscoasa(config-username)# exit

Configure the management interface.

ciscoasa(config)# int m0/0
ciscoasa(config-if)# shut
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip addr dhcp
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit

Configure SSH.

ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authorization exec LOCAL auto-enable
ciscoasa(config)# ssh version 2
ciscoasa(config)# ssh timeout 60
ciscoasa(config)# ssh key-exchange group dh-group14-sha1
ciscoasa(config)# ssh scopy enable
ciscoasa(config)# ssh 0 0 management
ciscoasa(config)# domain-name example.com
ciscoasa(config)# crypto key generate rsa usage-keys label SSHKEYS modulus 1024

Verify the Cisco Adaptive Security Device Manager (ASDM) software is available.

ciscoasa(config)# show file info boot:/asdm-76157.bin

boot:/asdm-76157.bin:
 type is image (asdm)
 file size is 25819140 bytes version 7.6(1)

Enable the http server required to run ASDM.

ciscoasa(config)# http server enable
ciscoasa(config)# http 0 0 management
ciscoasa(config)# end

Save the running configuration to local NVRAM.

ciscoasa# copy run start

08. Stop the virtual appliance and quit the VMware Fusion application.
Stop the virtual appliance from the original terminal window (or tab).

$ /Applications/VMware Fusion.app/Contents/Library/vmrun stop $HOME/Documents/Virtual Machines.localized/ASAv-961.vmwarevm/ASAv-961.vmx

09. Create the Vagrant box.
Change the current directory to ASAv-961.

$ cd $HOME/Documents/Virtual Machines.localized/ASAv-961.vmwarevm

Remove all generated MAC addresses from the ASAv-961 configuration file.

$ sed -i /generatedAddress/d ASAv-961.vmx

Create the metadata.json file for the VMware provider.

$ printf {"provider": "vmware_desktop"} > metadata.json

List the directory contents to verify the essential files are present.

$ tree -h
.
??? [165M] ASAv-961-disk1.vmdk
??? [ 12M] ASAv-961-disk2.vmdk
??? [350K] ASAv-961-file1.iso
??? [ 626] ASAv-961.plist
??? [ 0] ASAv-961.vmsd
??? [2.8K] ASAv-961.vmx
??? [ 263] ASAv-961.vmxf
??? [ 30] metadata.json
??? [8.5K] nvram
??? [ 866] startMenu.plist
??? [392K] vmware.log

0 directories, 11 files

Package the Vagrant box file with tar.

$ tar cvzf cisco-asav-961.box ./*

10. Add the Vagrant box.
Add the Vagrant box to our local inventory.

$ vagrant box add --provider vmware_desktop --name cisco-asav-961 cisco-asav-961.box
==> box: Box file was not detected as metadata. Adding it directly...
==> box: Adding box cisco-asav-161 (v0) for provider: vmware_desktop
 box: Unpacking necessary files from: file:///Users/marc/Documents/Virtual%20Machines.localized/ASAv-961.vmwarevm/cisco-asav-961.box
==> box: Successfully added box cisco-asav-961 (v0) for vmware_desktop!

Verify the box is now listed.

$ vagrant box list
cisco-asav-961 (vmware_desktop, 0)
cisco-iosv-l2-152 (vmware_desktop, 0)
cisco-iosv-l3-156-2 (vmware_desktop, 0)
cisco-xrv-6 (vmware_desktop, 0)
juniper-vmx-141R48 (vmware_desktop, 0)
vmware-centos7 (vmware_desktop, 0)
vmware-ubuntu1404 (vmware_desktop, 0)

11. Test it.
Create a directory for a test project and change to it.

$ mkdir $HOME/Documents/test-asav && cd $_

Create the Vagrantfile with a text editor ...

$ vim Vagrantfile

that contains the following:


Show the current status of the vagrant machine.

$ vagrant status
Current machine states:

default not created (vmware_fusion)

The VMware machine has not yet been created. Run `vagrant up`
to create the machine. If a machine is not created, only the
default provider will be shown. Therefore, if a provider is not listed,
then the machine is not created for that provider.

12. Vagrant Up!

Note: After Vagrant establishes a SSH connection to the remote virtual instance, it expects to talk to a standard shell (e.g., Bash). Since the Cisco ASA software doesnt provide a standard shell, Vagrant will eventually time out. The current workaround is to adjust the vm.boot_timeout attribute value as included in the example Vagrantfile.

$ vagrant up
Bringing machine default up with vmware_fusion provider...
==> default: Cloning VMware VM: cisco-asav-961. This can take some time...
==> default: Verifying vmnet devices are healthy...
==> default: Preparing network adapters...
==> default: Starting the VMware VM...
==> default: Waiting for machine to boot. This may take a few minutes...
 default: SSH address: 192.168.11.130:22
 default: SSH username: vagrant
 default: SSH auth method: private key
Timed out while waiting for the machine to boot. This means that
Vagrant was unable to communicate with the guest machine within
the configured ("config.vm.boot_timeout" value) time period.

If you look above, you should be able to see the error(s) that
Vagrant had when attempting to connect to the machine. These errors
are usually good hints as to what may be wrong.

If youre using a custom box, make sure that networking is properly
working and youre able to connect to the machine. It is a common
problem that networking isnt setup properly in these boxes.
Verify that authentication configurations are also setup properly,
as well.

If the box appears to be booting properly, you may want to increase
the timeout ("config.vm.boot_timeout") value.

The status of the vagrant machine is now in the running state.

$ vagrant status
Current machine states:

default running (vmware_fusion)

The VM is running. To stop this VM, you can run `vagrant halt` to
shut it down, or you can run `vagrant suspend` to simply suspend
the virtual machine. In either case, to restart it again, run
`vagrant up`.

We can connect to the vagrant machine with SSH ...

$ vagrant ssh

or a console connection (out-of-band management) via Telnet ...

$ telnet 127.0.0.1 52001

or with Cisco Adaptive Security Device Manager (ASDM). 13. More Vagrant commands:
Stop the vagrant machine with the force option.

$ vagrant halt -f

Destroy (Delete) the vagrant machine with the force option.

$ vagrant destroy -f