There is no publicly available demo license other than the free 100 kbps restricted license. If you need more than that throughput you need to purchase a license. (Partners can acquire ASAv licenses via the partner lab license request procedure.) View solution in original post. Symptom: The ASAv will reload due to the loss of a valid license or license expiration. This is expected behavior in versions prior to this defect which tracks a change in that behavior to move the ASAv into a Limited Functionality state instead of a reload.
Cisco ASAv appliance
- Symptom: ASAv shows as Unlicensed even after license is in compliance and entitlement is proper Conditions: Instantiate a ASAv with config in cdrom. Smart Licensing configuration is at the end of the config in cdrom. License info in 'show license all' is in compliance. License registration is 'show license registration' is complete.
- Cisco ASAv can also scale up/down to meet the needs of dynamic environments. High availability provides resilience. Consistent security everywhere. Gain consistent security policies, enforcement and protection across your physical, virtual, and cloud environments. Cisco ASAv provides advanced protocol inspection, including voice and video.
- Without a license ASAv is fully fuctional, just throughput is very limited - functionality wise, you can do everything. Login to your Cisco account - click traditional licensing, then request a demo/eval license for anyconnect.
The Adaptive Security Virtual Appliance is a virtualized network security solution based on the market-leading Cisco ASA 5500-X Series firewalls. It supports both traditional and next-generation software-defined network (SDN) and Cisco Application Centric Infrastructure (ACI) environments to provide policy enforcement and threat inspection across heterogeneous multisite environments.
More informations on http://www.cisco.com/c/en/us/products/security/virtual-adaptive-security-appliance-firewall/index.html
- Download the appliance file: here
- Download the files for one of the supported version here
- Import the .gns3a file in GNS3. You can follow this tutorial
There is no default password and enable password. A default configuration is present. ASAv goes through a double-boot before becoming active. This is normal and expected.
RAM: 2048 MB
You need KVM enable on your machine or in the GNS3 VM.
Documentation for using the appliance is available on http://www.cisco.com/c/en/us/support/security/virtual-adaptive-security-appliance-firewall/products-installation-guides-list.html
Cisco ASAv 9.12.2-9
Images require
File | MD5 | Size | |
asav9-12-2-9.qcow2 | d90ada2efeb19801e654b6059de61845 | 198.0 MB | Download |
Cisco ASAv 9.12.2
Images require
File | MD5 | Size | |
asav9-12-2.qcow2 | ad1f8ce94417a654949ecc53d280b29f | 198.0 MB | Download |
Cisco ASAv 9.9.2
Images require
File | MD5 | Size | |
asav992.qcow2 | 0cba453dbf70313d8d63a00700618f52 | 205.0 MB | Download |
Cisco ASAv 9.8.4-15
Images require
File | MD5 | Size | |
asav984-15.qcow2 | 3c6742a9617767d8eae14b3ad4d33981 | 200.0 MB | Download |
Cisco ASAv 9.8.3-8
Images require
File | MD5 | Size | |
asav983-8.qcow2 | 54dbf135c545dbae40c8be61ff3863a4 | 199.0 MB | Download |
Cisco ASAv 9.8.1
Images require
File | MD5 | Size | |
asav981.qcow2 | 8d3612fe22b1a7dec118010e17e29411 | 193.0 MB | Download |
Cisco ASAv 9.7.1-4
Images require
File | MD5 | Size | |
asav971-4.qcow2 | f9a671d1ceaf983f7241f19df15e787f | 197.0 MB | Download |
Cisco ASAv 9.6.3-1
Images require
File | MD5 | Size | |
asav963-1.qcow2 | d6a5c8d7bff5e69c5987ca664a52dbd8 | 172.0 MB | Download |
Cisco ASAv 9.6.2
Images require
File | MD5 | Size | |
asav962.qcow2 | a4c892afe610776dde8a176f1049ae96 | 177.0 MB | Download |
Other versions
If you don't have this images you can try to add a new version follow instructions here.Only images validated by VIRL team are known to work correctly with GNS3.
Images asav952-204.qcow2 or later are recommend (previous releases may not work). It is very important to use the correct ASA image because only this image (or a later image validated by VIRL) will work with GNS3.
Depending of the image the console of the device could be serial or the graphical output of the VM.
If the image display to the graphical output you need to connect using VNC. Otherwise it’s with the telnet connection.
By default GNS3 appliance use the VNC output because it’s the most common case. If you need to connect via serial you will see this line at the boot:
Lina to use serial port /dev/ttyS0 for console IO
If you see that just edit the configuration of your node to change the console to telnet.
Replace the VNC console by a telnet console
If you want to able to use your terminal application instead of VNC you need to enable the serial console in the appliance.
ciscoasa#conf t
ciscoasa(config)# cd coredumpinfo
ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0
After that stop the appliance and change the console type from VNC to telnet.
See this thread if you want to create an image with ASAv serial console always enabled:
Once the ASA appliance is imported into GNS3, you can create topologies such as the following:
The cloud is linked to an eth2 interface of the GNS3 VM. In order to have an eth2 interface in the VM in the GNS3 VM settings in VMware (not in GNS3, the parameters of the VM in VMware) add a third network adapter with host only.
We use a generic switch between the cloud and the ASAv vm because a qemu limitation of the current version of GNS3 prevent a direct link between qemu and a cloud.
Our cloud configuration:
The ASA is connected to the switch via is Management 0/0 interface.
After that boot the ASAv it will take a long time with a reboot the first time. Open the console and will see a prompt:
ciscoasa>
Switch to the configure mode (by default password is empty):
ciscoasa> enable
Password:
ciscoasa# configure terminal
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n
In the future, if you would like to enable this feature,
issue the command 'call-home reporting anonymous'.
We can now change the hostname and write the config
ciscoasa(config)# hostname gns3asav
gns3asav(config)# write
Building configuration...
Cryptochecksum: 5c5f8e54 7203401c 38a17bec c74e13c6
7413 bytes copied in 0.240 secs
[OK]
Remember GNS3 will not save this for you. When you save in GNS3 you save the design of topology not the memory of the devices. Like in the real life you need to ask the OS to save before turning it off.
Configure ASDM
In order to manage ASA with asdm we need to setup an ip on the Management 0/0 interface. Because the cloud is a VMware host only adapter we can use DHCP to do that.
ciscoasa(config)# interface Management 0/0
ciscoasa(config-if)# ip address dhcp
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif mgmt
INFO: Security level for 'mgmt' set to 0 by default.
ciscoasa(config-if)# exit
ciscoasa(config)# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Management0/0 mgmt 172.16.16.156 255.255.255.0 DHCP
Current IP Addresses:
Interface Name IP address Subnet mask Method
Management0/0 mgmt 172.16.16.156 255.255.255.0
We can see that our ASA as the IP 172.16.16.156
Now we need to enable the HTTP server
ciscoasa(config)# http server enable
ciscoasa(config)# http 0.0.0.0 0.0.0.0 mgmt
Now open https://172.16.16.156 and ignore the HTTPS certificate error.
You will see this page
Click on install ASDM launcher. And when you have ASDM on your computer opened it. Enter the IP of the ASA and OK
You will see the ASDM interface
The warning about the licence is normal. The appliance provided by Cisco is dedicated to learning not a production usage where you need to pay.
Asav License Install
No console is showing with ASAv
Depending of the image, the serial console could be not activated. If it’s the case you need to connect to via VNC to enable the serial console see this forum post for more details:
Configuration is not saving when running ASAv on Windows
ASAv is not supported by the version of Qemu provided for Windows you need to run it using the GNS3 VM.
With the realease of 9.3 for ASA’s Cisco introduced Smart Licensing where it lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance(source).
Personally, I think it’s a great way to manage all of your licenses. This comes especially helpful if you are in the Cloud sector. As a Private Cloud provider for example it allows you to manage licenses for your IAAS offering in one centralized location fast and easy. Ability to “reuse” license if one tenant no longer needs it to the second tenant is a powerful tool. Since everything going virtual, not having licenses tied to physical equipment provides leverage and speed in deployments.
Asav License
Before hopping in into implementation piece I would like to provide an overview of different licenses that Cisco provides for their virtual ASA’s.
As you may know the difference is going to be in the resources/features. Before purchasing any ASAv license its crucial to identify what are your requirements such as throughput, session ,etc.
Table below provides all the information you need for Cisco four offerings (asav5, asav10, asav30, asav50) as of April 10, 2018. Highlited features are the ones I would pay close attention prior purchasing decision. For more information please visit Cisco Data Sheet including ordering part numbers.
Table 1.
Feature | ASAv5 | ASAv10 | ASAv30 | ASAv50 |
Stateful inspection throughput (maximum)1(UDP) | 100 Mbps | 1 Gbps | 2 Gbps | 10 Gbps |
Stateful inspection throughput (multiprotocol)2(TCP) | 50 Mbps | 500 Mbps | 1 Gbps | 5 Gbps |
Advanced Encryption Standard (AES) VPN throughput3 | 30 Mbps | 125 Mbps | 1 Gbps | 3 Gbps |
Connections per second | 8,000 | 20,000 | 60,000 | 120,000 |
Concurrent sessions | 50,000 | 100,000 | 500,000 | 2,000,000 |
VLANs | 25 | 50 | 200 | 1024 |
Bridge groups | 12 | 25 | 100 | 250 |
IPsec VPN peers | 50 | 250 | 750 | 10,000 |
Cisco AnyConnect® or clientless VPN user sessions | 50 | 250 | 750 | 10,000 |
Cisco Unified Communications phone proxy | 50 | 250 | 1000 | Not tested |
Cisco Cloud Web Security users | 250 | 1,000 | 5000 | Not tested |
High availability | Active/standby VMware ESX/ESXi 6.0, 6.5; vMotion KVM Hyper-V: Windows Server 2012 R2 (Not supported for ASAv50) | |||
Hypervisor support | ||||
Public Cloud Support | AWS (c3.large, c3.xlarge, c4.large, c4.xlarge, M4) Azure (d3, d3_v2) (including Azure Government Cloud) | Currently not supported on Public Cloud | ||
Modes | Routed and transparent | |||
Virtual CPUs | 1 | 1 | 4 | 8 |
Memory | 1 GB minimum 1.5 GB maximum | 2 GB | 8 GB | 16 GB |
Minimum disk storage4 | 8 GB | 8 GB | 16 GB | 16 GB |
Once you purchase the license there are (2) pieces to the puzzle. First is you will need to deploy OVF file on your compute infrastructure (VMware/Hyper-V). This post does not cover the deployment of the OVF file. Please let me know if you are interested in covering that piece and I’ll be more than happy to present it. Otherwise please follow one of the Cisco KB articles on this process.
After ASAv has been deployed you will need to register it to get all the features you paid for.
By default, ASAv comes with limited resources. That can be verified by the following three commands:
ASAv# sh vm
Virtual Platform Resource Limits
——————————–
Number of vCPUs : 0
Processor Memory : 0 MB
Virtual Platform Resource Status
——————————–
Number of vCPUs : 2 (Noncompliant: Over-provisioned)
Processor Memory : 4096 MB (Noncompliant: Over-provisioned)
Hypervisor : VMware
Model Id : ASAv30
ASAv# sh ver
Cisco Adaptive Security Appliance Software Version 9.8(2)20
Firepower Extensible Operating System Version 2.2(2.63)
Device Manager Version 7.8(1)
Compiled on Fri 02-Feb-18 06:18 PST by builders
System image file is “disk0:/asa982-20-smp-k8.bin”
Config file at boot was “startup-config”
IDS-LDEN-Demo01-ASAv up 61 days 21 hours
Hardware: ASAv, 4096 MB RAM, CPU Xeon E5 series 2000 MHz, 1 CPU (2 cores)
Model Id: ASAv30
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB
0: Ext: Management0/0 : address is 0050.56a1.26a7, irq 10
1: Ext: GigabitEthernet0/0 : address is 0050.56a1.1c89, irq 5
2: Ext: GigabitEthernet0/1 : address is 0050.56a1.52a8, irq 9
3: Ext: GigabitEthernet0/2 : address is 0050.56a1.399c, irq 11
4: Ext: GigabitEthernet0/3 : address is 0050.56a1.3ac9, irq 10
5: Ext: GigabitEthernet0/4 : address is 0050.56a1.0fa1, irq 5
6: Ext: GigabitEthernet0/5 : address is 0050.56a1.76ff, irq 9
7: Ext: GigabitEthernet0/6 : address is 0050.56a1.7d33, irq 11
8: Ext: GigabitEthernet0/7 : address is 0050.56a1.376d, irq 10
9: Ext: GigabitEthernet0/8 : address is 0050.56a1.3784, irq 5
License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.
ASAv# sh license status
Smart Licensing is ENABLED
Registration:
Status: UNREGISTERED
Export-Controlled Functionality: Not Allowed
License Authorization:
Status: No Licenses in Use
Registering your newly deployed ASAv will require applying tokenID that can be generated from Smart Licensing Portal. Please not you should have a account created during the purchase process.
Once logged in navigate to Smart Software Licensing URL(fig.1)
Navigate to Inventory > Licenses to verify if the license was applied to your account(fig.2).
From that point navigate to General > New Token > Create Token(fig.3).
At this point new Token should be generated(fig.4). Copy it to clipboard you’ll need it soon.
In order to have a successful license installation your ASAv needs to be able to ping/resolve tools.cisco.com.
ASAv# ping tools.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 173.37.145.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms
If that fails, your registration will fail. Make sure you have a proper dns domain lookup configured. This is the step that is being missed a lot of times.
ASAv(config)#dns domain-lookup outside
DNS server-group DefaultDNS
name-server 8.8.8.8
domain-name companyName.local
Now you are ready to apply Smart Licensing. First apply proper throughput level to license smart object
ASAv(config)# license smart
ASAv(config-smart-lic)# ?
Smart Licensing configuration commands:
exit Exit Smart Licensing configuration mode and apply configuration
feature Set License feature
no Negate a command
throughput Set License throughput
ASAv(config-smart-lic)# throughput level ?
smart-lic-mode mode commands/options:
100M Enable 100 Mbps throughput level
10G Enable 10 Gbps throughput level
1G Enable 1 Gbps throughput level
2G Enable 2 Gbps throughput level
Full command i.e for ASAv30 would be:
license smart
feature tier standard
throughput level 2G
exit
Finally apply idtoken which was previously copied to your clipboard
license smart register idtoken MzE2MTMwMzItMzQ4Yy00NmUxLWI3ZjYtNWFhZGVlMDc4ZWViLTE1MjU5NzQ4%0AMDQ2MDd8RHp0NkdkbGRZOFlnSllUM0dEVUdmN0c force
To verify if the license was successfully installed check the vm status as well as license usage
ASAv# sh vm
Virtual Platform Resource Limits
——————————–
Number of vCPUs : 4
Processor Memory : 8192 MB
Virtual Platform Resource Status
——————————–
Number of vCPUs : 4 (Compliant)
Processor Memory : 8192 MB (Compliant)
Hypervisor : VMware
Model Id : ASAv30
ASAv# sh license usage
License Authorization:
Status: AUTHORIZED on Feb 09 03:08:47 2018 UTC
ASAv30 Standard – 2G (ASAv-STD-2G):
Description: ASAv30 Standard – 2G
Count: 1
Version: 1.0
Status: AUTHORIZED
If the registration failed please double check you can ping tools.cisco.com AND/OR redo the idtoken on Smart License Portal and reapply.
I hope this has been informative and let me know if you were successful or not
Thanks.