In my previous post “Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)“, I tested the importing both OVA and VMDK file into Workstation and ESXi, but both ways failed. Those files are found and downloaded from Internet for only testing purpose. I believe those are good files and somebody has tested them. The only reason for my failure is because I am not using a right way to do it. In my old testing posts I have tested other versions such as 9.2.1, 8.42 and 8.02. All were successful loaded in either Vmware Workstation or ESXi.
Here are all related posts in this blog:
- ASA 8.02 in Vmware Workstation
- ASA 8.42 in VMware Workstation
- ASA 9.21 in Vmware Workstation 10
- Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (1)
- Cisco ASAv 9.4.1 and ASDM 7.4.1 in Workstation / ESXi (2)
- Cisco ASAv 9.5.1 200 and ASDM 7.5.1 in Workstation / ESXi
To find out the why this time failed I searched online again. My searching is based on error message I got from ESXi:
“The OVF package requires support for OVF PropertiesLine 264: Unsupported element ‘Property’.“
Following two links explains why , also both gives a solution , which is Vmware vCenter will be able to help load ASAv 9.4.1 into ESXi or ESX. Actually Vmeare vSphere Client has to connect to vCenter first then deploy this asav941.ova into ESX/ESXi host.
- http://www.cisco.com/c/en/us/td/docs/switches/datacenter/dfa/troubleshooting/guide/b-dfa-trouble/b-DFA-Troubleshooting_chapter_0100.html
- https://www-304.ibm.com/support/knowledgecenter/SSCR9A_2.0.0/doc/ICON/topics/tsicn_ovafailsproperty.html
Table of Contents
1. ESXi vSphere Client connecting to vCenter5.5.
2. File -> Delply OVF Template…
3. Choose downloaded asav941.ova file as the template.
When license agreement window popped up, accept it then next.
4. Choose vm’s name
5. NICs configuration.
By default, there are 10 NICs and all of them are in same virtual network. In my case, it automatically set to connect to VM DMZ network.
6. Some other parameters.
7. Review all configuration
8. After 3-5 minutes importing process deponding on your connection speed, you should get a new VM in your ESXi.
And you can power VM on and get booting window from console.
9. VM will reboot itself once then you will get this lovely ciscoasa prompt
10. Basic configuration for SSH
Interface management 0/0 is Network adapter 1. I changed it to VM Internet network to make management interface connect to my client pc network.
There are some basic configuration to get you SSH session enabled on your ASAv.
ip address 192.168.2.12 255.255.255.0
nameif management
!
11. Guidelines for the ASAv
- Clustering
- Multiple context mode
- Active/Active failover
- EtherChannels
- Shared AnyConnect Premium Licenses
12. Defaults for Smart Software Licensing
- The ASAv default configuration includes a Smart Call Home profile called “License” that specifies the URL for the Licensing Authority.
13. ASDM 7.4(1)
Hey man, I read your blog recently, I have a question about Cisco ASA. We have a Cisco 2911 Router with Security license. Two ports connect to dual ISP and one for intranet. PBR and IP SLA are configured on the router, We want to publish our FTP server to the internet so that our clients can access our Server via these two ISPs. But failed. So I want to use Cisco ASA to test, My question is: Can I use a desktop to simulate ASA 9.4.1 to replace Cisco 2911?
vASA9.4.1 has to be installed into vSphere ESX/ESXi system and managed by vCenter. If your Desktop is in the compatible list to install ESX/ESXi, you should be able to use a desktop to simulate vASA9.4.1 to replace your 2911. Of course you will need proper license for your vASA9.4.1 to unlock the limitation.
What about the license in this package by default? It will be as "show version" that displayed in this page, right ?
You will not need a license to play for all features listed in the show version screen. But until you install a license, throughput of your vASA is limited to 100 Kbps.
Thanks a lot ,I install ASAv 9.4.1 successfully in my vCenter, I have a problem when configuring PBR on ASA, when I create an ACL, I want a host to go to the internet via another ISP. But warring messages display when I configure PBR, Here is my configuration:
ASA941(config)# access-list TW line 1 extended permit ip host 192.168.66.5 any
ASA941(config)# route-map TW permit 10
ASA941(config-route-map)# mat
ASA941(config-route-map)# match ip ad
ASA941(config-route-map)# match ip address TW
WARNING: If access-list TW having destination "anyany4any6" is used as match criteria for a route map, and applied to any routing protocol it will not have any effect. Instead use standard ACL or extended ACL without anyany4any6 in destination.
ASA941(config-route-map)#
Any advise? I am not sure if it is a bug, If I want this computer to go anywhere via the outside port, so I need to configure ANY as the destination address.
It is not a bug. It is design for the route-map feature.
ACL is of two types standard ACL and Extended ACL. They are the list of conditions that are applied to traffic travelling across interface. Acceptance and denial can be based on specific conditions.
1. Standard ACL
– Checks Source Address
– Permits or Denies Entire Protocol Suite
2. Extended ACL
– Checks Source and Destination Address
– Generally Permits or Denies Specific Protocols
You should be able to use following standard ACL to complete your needs:
access-list TW standard permit host 192.168.66.5
Really cool. But.. I need ASA 8.6 for testing and lab. Is it possible to run ASA 8.6 on wmvare or else?
It depends on if someone worked on ASA 8.6 before. You wont be able to run original ASA 8.6 file in Vmware or other virtual system directly. So far, I did not see anyone tried to work on it. I do see lots of people using asa8.4.2 in vm.
thanks that worked for me
Is there any reason deploying from vshpere does not work, but from vcenter works?
Is it possible you can export your ovf file, I think I should be able to just use that to make it work.