Getting started with Cisco Adaptive Security Virtual Appliance in AWS
Software Engineering Team Lead and Director of Cloudsure
I work with NATs and ACLs on Cisco ASA (Adaptive Security Appliance) in the terminal. I want a sandbox environment for me to go bonkers. I couldn't find an image from Cisco to download and install so I chose to go shopping on the AWS Marketplace.
I found Cisco Adaptive Security Virtual Appliance (ASAv) - Standard Package. They say it brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. I think that's pretty much what I need.
Cisco does party hard. They charge you and it can get quite pricey. 😢 They predefine the instances you can select which does not fall under the AWS free usage tier. As I write this, there is a 5-day trial and thereafter a charge of $0.69 per hour.
I need you to brace yourself for this shopping experience. It's not very user friendly and it becomes repetitive.
WARNING! You will get an error after you have created your instance if your account has not been verified. There is an option to replay the order for your instance so your time would not have been for nothing.
Going shopping
- To enter the marketplace you need to authenticate. Access the AWS Account page. Sign in. Sign up. You know best.
- Squeeze your way past all the tempting options by going directly to the Cisco Adaptive Security Virtual Appliance (ASAv) - Standard Package.
- Proceed to the first level of checkout. There will be a few of these.
Go on by clicking on the top right orange button on each page.
- Continue to Subscribe gives you more information about annual licensing and the TOCs.
- Continue to Configuration gives you a small fulfillment form you need to verify or change. Specify the image (64xbit (x86) Amazon Machine Image (AMI)), ASAv version (9.9.2.1 (May 10, 2018)) and region (US East (N. Virginia)). I just chose the defaults.
- Continue to Launch shows you a screen to review your instance configuration and choose how you want to launch the software. I went with Launch through EC2.
Building your instance
Now that we are done shopping and spending all our money, we shall proceed to build our Cisco instance. One does not simply build such an instance so let's take it one step at a time shall we. Okay, this statement rings true for me at least.
- Default to everything. Don't get clever just yet. Let's first get something up and running. You can terminate it and create a new one later.
- Choose your instance type. I chose m4.large (6.5 ECUs, 2 vCPUs, 2.4 GHz, Intel Xeon E5-2676v3, 8 GiB memory, EBS only). This is the minimum requirement for Cisco ASAv.
- Check out the other entries then click on the blue button Preview and Launch.
You'll get warnings. Possibly two. One will be about improving your instance security because the firewall created is open so that whole world can access your instance (inbound SSH defined on 0.0.0.0/0) and the other will politely explain that your instance is not eligible for the free usage tier.
Change what you want. Verify the order. Click on Launch which proceeds to another step:
Select an existing key pair or create a new key. Use this key to authenticate
to your instance without a password. I downloaded mine, moved it to ~/.ssh
and chown 400 ~/.ssh/awesome.pem
.
The name of your key is the
.pem
filename so I avoided special characters the second time around.
Finally, you can click on the blue Launch Instances button. If all goes according to plan, the instance will launch.
Accessing your AWS instance
Here is where the fun begins. Can you ping it? Copy the Public DNS IPv4 address and slap
that into a ping
command in your terminal. Access that under Dashboard >
Running Instances > copy the Public DNS IPv4 address from the table of instances
for your instance.
I can't ping my AWS instance
No luck? Let's try Network & Security > Security Groups > right-click on the associated security group > Edit inbound rules > Add Rule. Type=Custom ICMP Rule - IPv4, Protocol=Echo Request, Source=Anywhere/My IP.
Can you SSH to it? On the instances page, click on the Connect button for
that instance and get more information about what to do with your .pem
file.
It's basically what I explained above. For our instance we need to connect using
the admin
user and include our .pem
file which we can do as follows
ssh -i "~/.ssh/awesome.pem" admin@ec2-1-2-3-4.compute-1.amazonaws.com
I can't SSH to my AWS instance
Still no luck? Let's try Network & Security > Security Groups > right-click on security group > Edit inbound rules again.
- Does your firewall have a rule configured for SSH?
- What sources can access your instance? Any (0.0.0.0/0) or your current IP address?
- Is your instance using the correct security group?
- Can you ping your instance yet? If not, check your VPC and network interface. I had an instance configured and couldn't get a network interface to attatch. Eventually I terminated it, recreated it and it worked. If I knew where the correct settings were, I wouldn't have had to do that.
Using ASA
What a journey!
I am finally in. There is a ciscoasa>
prompt. Basic commands are permitted in
this mode. See them ?
Go into admin mode login admin
and again press ?
to see admin commands.
The mode I hang around in the most is the config mode. Once logged in
config t
which is short for config terminal
For the last time, press ?
for all the commands available. WHAM! The instance works and I can get my
hands dirty on my very own Cisco box.