Cisco ASA on VmWare ESXi install and basic config

Prepare to CCNA Security exam and test Cisco ASA appliance on VmWare ESXi infrastructure.

ASDM java workaround

ASA mgmt ip:

C:\Users\sc>javaws C:\Users\sc\Downloads\asdm.jnlp

show isa sa
show cry ipsec sa
show vpn-sessiondb detail l2l

debug crypto isakmp 7
debug crypto ipsec 7
debug crypto condition peer <peer IP>
un all

clear crypto ipsec sa
clear crypto isakmp sa

interface Management0/0
 nameif mgmt
 security-level 0
 ip address 
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http mgmt
username scp password pg94qEe@#$87hXXJ encrypted privilege 15

1. Select ESXi host
2. File -> Deploy OVF Template
3. Select OVF (there are OVF templates over the Internets)

Add Serial Port (Network Based) to redirect Console Port.

Start VM and connect to telnet IP (ESXi host mgmt IP) port 2052.
Cisco ASA IOS is loading
Initializing cgroup subsys cpu
Linux version (builders@bld-releng-05a) (gcc version 4.3.4 (crosstool-NG-1.5.0) ) #1 PREEMPT Wed Jun 15 17:19:01 MDT 2011
Starting network...
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/hda1: 48 files, 10090/65443 clusters
This platform has an ASA 5520
Cisco Adaptive Security Appliance Software Version 8.4(2)
Basic Config

0. Reset Config

write erase
Erase configuration in flash memory? [confirm]
Process shutdown finished
Restarting system.
machine restart
Pre-configure Firewall now through interactive prompts [yes]? no
Type help or '?' for a list of available commands.
Password:    (exec password is not set - just press enter)

1. Interfaces
ciscoasa(config)# interface GigabitEthernet0
ciscoasa(config-if)#  nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)#  security-level 100
ciscoasa(config-if)#  ip address
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# !
ciscoasa(config-if)# !
ciscoasa(config-if)# interface GigabitEthernet1
ciscoasa(config-if)#  nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)#  security-level 0
ciscoasa(config-if)#  ip address
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# mtu inside 1500
ciscoasa(config-if)# mtu outside 1500
2. Hostname and DNS
ciscoasa(config-if)# hostname esx1-asa2
esx1-asa2(config)# domain-name

esx1-asa2(config)# dns domain-lookup outside
esx1-asa2(config)# dns server-group DefaultDNS
esx1-asa2(config-dns-server-group)#  name-server
esx1-asa2(config-dns-server-group)#  name-server
esx1-asa2(config-dns-server-group)#  domain-name
3. Enable/VTY Passwords
! Enables password encryption
key config-key password-encryption s0m3-encryt3d-t3kst
password encryption aes

! password to Privilege EXEC (IOS enable secret)
enable password <password>
enable password pas@#E!dc

! The login password is used for Telnet and SSH connections.
{passwd | password} <password>

passwd DV#F#$FD4f$
4. Set Telnet Acces and Tune timers
telnet inside
telnet timeout 15
ssh timeout 15
console timeout 0
To start SSH
esx1-asa2(config)# crypto key generate rsa modulus 1024
  INFO: The name for the keys will be: <Default-RSA-Key>
  Keypair generation process begin. Please wait...
esx1-asa2(config)# ssh inside
esx1-asa2(config)# ssh version 2
esx1-asa2(config)# ssh timeout 15
5. Set Time and NTP
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
ntp server
ntp server
6. Setup Acces to Cisco ASDM
http server enable
http inside
7. Set Default Gateway
route outside   1
8. Setup Users
esx1-asa2(config)# username sc password ********* privilege 15
Minimum allowed username length is 3
ERROR: Username addition failed.
esx1-asa2(config)# username sclabs password ********* privilege 15 
! use the local database as your main method of authentication with no fallback. In order to do this, enter LOCAL alone
(config)#aaa authentication ssh console LOCAL
9. Setup SNMP
esx1-asa2(config)#   snmp-server host inside community ***** version 2c
esx1-asa2(config)#   snmp-server community *****
esx1-asa2(config)#   snmp-server location ESX1-location
esx1-asa2(config)#   snmp-server contact
esx1-asa2(config)#   logging buffered notifications
esx1-asa2(config)#   logging buffer-size 1048576
10. Apply activate keys

11. Save config and reload
esx1-asa2(config)# wr
Building configuration...
Cryptochecksum: 35f32de6 81c535ed 3dce03ec 13f334ff
2568 bytes copied in 0.40 secs
esxi1-asa2# reload
Proceed with reload? [confirm]

 PostInstall configure:
1) Configure Split-tunnel for AnyConnect-Profile
Permit Any traffic (internet) when tunnel is UP.
Default: only protected traffic ( is permited when tunnel comes UP.
 group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
    wins-server none
    dns-server value
    vpn-tunnel-protocol ssl-client
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value MYLAN

access-list MYLAN  line 1 remark MYLAN MGMT
access-list MYLAN  line 2 standard permit
3) Permit Both profile selection: AnyConnect and Clientless Clients 
ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

3) Enable Both: AnyConnect and Clientless Clients
Error: Clientless (browser) SSL VPN access is not allowed.
You can't have both AnyConnect Essential license and AnyConnect Premium license enabled at the same ASA. It is one or the other.
esxi1-ciscoasa-si(config)# webvpn
esxi1-ciscoasa-si(config-webvpn)#   no anyconnect-essentials