X

Best Practices from Oracle Development's A‑Team

Provision Cisco's ASAv from OCI Marketplace

Catalin Andrei
Cloud Networking Solutions Architect

Introduction

The customers are using secured connections to access sensitive information and the most popular choice is to use a remote access VPN connection to the company's campus. With the fast adoption of the cloud, companies are extending their campus to the public cloud and the demarcation line between on-premises and external resources is blurry.

With the experience that they already have from building the corporate remote access VPN, the IT staff of the customer will most probably use the same vendor to build and access solution in the cloud.  

I am getting questions from customers around the provisioning of a CISCO ASA on OCI and using it for remote access VPN. I will create blogs around the provisioning and basic configuration of the appliance.

This is a minimal config, showcasing the capabilities and it is not a complete setup (configuring firewall rules and internally securing the ASA)

The topology that I will create is a hub and spoke architecture, VCN1 is the hub and the VCN2 and VCN4 are the spokes. VCN3 is used to host the management interface of the network appliance.

This architecture aims to create a remote access VPN solution that will control user's access. The dev users will only have access to the Dev VCN, the prod users will only have access to the prod VCN.

Prerequisites

This blog has the following prerequisites:

  • Access to an OCI tenancy where you provision the networking artifacts as well as the CISCO ASAv instance from Marketplace;
  • A valid CISCO account to download the needed software;
  • The Hub and spoke architecture should be configured with all of the OCI artifacts

Configuration

This part of the blog will guide you to the steps to provision and configure a CISCO ASAv. At the end of this section, you will have an appliance that can communicate with the internal networks of your VCN as well as the Internet.

1. Generate random Passwords

The appliance needs two passwords to be created: one for a superuser (admin) and a second called "enable" password used to gain privileged EXEC mode. I will randomly create the passwords using the following commands on a Linux OS:

tr -dc 'A-Za-z0-9!"#$%&'''()*+,-./:;<=>?@[]^_{|}~' </dev/urandom | head -c 13 ; echo

Copy the generated passwords, we will use them in the next section.

2. Create cloud-init configuration

Copy and paste the section below in a text editor, edit the passwords for the user admin and the enable password with the ones you just generated.

interface management0/0 management-only nameif management security-level 100 ip address dhcp setroute no shut !

same-security-traffic permit inter-interface same-security-traffic permit intra-interface ! crypto key generate rsa modulus 2048 ssh 0 0 management ssh timeout 60 ssh version 2

username admin password e(B)$=y#FGfC" privilege 15 username admin attributes service-type admin http server enable

 

http 0 0 management

aaa authentication ssh console LOCAL enable password B3w|&,}R%s2k&

 

3. Provision the Marketplace VM

We are ready to provision the VM. Navigate to OCI web console to Marketplace > All Applications

Filter by Publisher and you will see the Cisco ASA Virtual Firewall.

Make sure you select the compartment where you want your appliance to be provisioned and Launch the instance.

Fill in the name of the instance, make sure you select the VCN3 for the networking (Management Interface).

Under the SSH paragraph select "No SSH key", expand the Advanced Options, and select "Paste cloud-init script". You will paste the configuration that you just created earlier and click the "Create" button.

4. Launch ASDM

Wait until the instance is running and connect with a web browser to the public IP address of your instance (HTTPS) and install ASDM.

Launch the ASDM, fill in the connection details and click OK.

Once you see this screen, ADSM works and the management plane of the ASAv is configured.

5. Add secondary vNICs

In the next section, we will focus on the Data plane and start activating the secondary vNICs (Inside and Outside interfaces).

In the OCI web console, navigate to "Attached VNIC's" from the ASA Compute VM and, create the Gi0/0 vNIC. Fill in the name of the vNIC, the VCN where it will be placed, and the subnet.

Attach the G0/1 vNIC and make sure you select the "Skip source/destination check".

The vNICs will be available after the ASA will reboot. For this, under ASDM, navigate to Tools > System Reload and click "Schedule Reload".

Navigate to Configuration > Device Setup > Interface Settings and edit the newly added interfaces. Fill in the Name, Security level, IP address, and Enable interface.

The IP address can be found under the vNIC on the OCI web console.

6. Network test of the directly connected IP addresses

Now we can test the connectivity of directly connected networks. In OCI, the first usable IP address from a subnet is always assigned to the subnet gateway, acting as the next hop for your ASA static routing. We will ping those Gateway IP addresses.

Navigate to Tools > Ping from ASDM and ping the first IP address from each subnet where we have a vNIC (OCI gateway).

 

 

7. Configure Hostname

Navigate to Configuration > Device Setup > Device Name/Password and change the hostname and Domain name to reflect your config.

8. Configure Static routing

Create the Network objects that will be used during static routes config. Navigate to "Configuration >

Firewall > Objects > Network Objects/Groups" and add a Network Object for each VCN (ex. VCN1 192.168.0.0/23) and also for the OCI network gateway from the public and private subnet of VCN1.

Create the static routes for the default route and also for the internal IP addresses from OCI. Navigate to Configuration > Device Setup > Routing > Static Routes and add the static routes.

For the default, route configures it under Outside interface and chooses as gateway the network object VCN1-net-pub-gw.

For the internal static routes create an entry for each VCN under interface Inside and point it to  VCN1net-priv-gw.

9. Network test of the default route

Test the connectivity by pinging an external IP address.

Conclusion

This blog focused on provisioning a CISCO ASA in OCI and creating the initial basic config for network connectivity. This will be the building block used in the next blog for configuring the ASA as a remote access VPN.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha