Cisco ASAv on Openstack

First we need to disable RPF source address check for the ASAv as it will route traffic from net to net.  We could do allowed-address pairs on a per neutron port basis or just enable:
firewall_driver = neutron.agent.firewall.NoopFirewallDriver
(and comment out the other driver) in
/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
then
sudo systemctl restart  neutron-openvswitch-agent

Create Nova Compute Flavor for the ASAv
The ASAv requires a nova compute flavor consisting of 4096M of memory and 2 vCPUs  

nova flavor-create asa-flavor <flavor id> 4096

To view the existing flavor ids issue the nova flavor-list command.

nova flavor-list

Use a flavor id which is not currently being used.
 
Glance an Image for the ASAv
We need to create an image for Openstack.    We create this image based on a qcow2 image which can be obtained from Cisco's website.     In the example below you will have to adjust the URL location of the image along with the actual name of the ASAv qcow2 image.

glance image-create --name ASAv --disk-format qcow2 --container-format bare --location http://<ip address of server hosting image>/asav951-203-anyconnect.qcow2 --is-public true

Make sure the image was successfully created

glance image-list

We now need to modify these images with custom parameter which will change the nic type to e1000 and the disk bus to ide:

glance image-update <image id> --property hw_disk_bus=ide 
glance image-update <image id> --property hw_vif_model=e1000 

Prepare the Day 0 Configuration File You can prepare a Day 0 configuration file before you launch the ASAv. This file is a text file that contains the ASAv configuration that will be applied when the ASAv is launched. This initial configuration is placed into a text file named “day0-config” in a working directory you chose.  At the minimum, the Day 0 configuration file must contain commands that will activate the management interface and set up the SSH server for public key authentication, but it can also contain a complete ASA configuration. 


Boot the Image with Nova
At this point we have a good image which we can now boot.   We can do this using the nova boot command.  It is important to note the order of the nic interfaces when booting the ASAv.    The first interface in the nova boot command is the Management interface, the second is the Inside network and the third is the Outside network.

nova boot ASAv --image ASAv  --nic net-id=<numeric id of management network in neutron>,v4-fixed-ip=192.168.0.12 --nic net-id=<numeric id of inside network in neutron>,v4-fixed-ip=192.168.200.1 --nic net-id=<numeric id of outside network in neutron>,v4-fixed-ip=192.168.100.11 --flavor 11 --config-drive=true --file day0-config=/home/localadmin/day0-config


day0-config

hostname ciscoasav
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd nDzzbb5hq84gn0CE encrypted
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 192.168.100.11 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.0.12 255.255.255.0
!
ftp mode passive
access-list PERMIT_ICMP extended permit icmp any any
pager lines 23
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group PERMIT_ICMP global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username cisco password FL/j2s7kdjDy.q93 encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect rtsp
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sip
  inspect skinny
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 9
  subscribe-to-alert-group configuration periodic monthly 9
  subscribe-to-alert-group telemetry periodic daily
crypto key generate rsa modulus 1024

(END)