Cisco ASAv - Setting up an ASAv on a dedicated hosting site with failover IP's (Kimsufi, OVH, So you Start, etc)

This guide is very useful for people with dedicated hosting who have a ESXi hypervisor(s) running on a dedicated hosted server in the cloud (much like this blog is running on). I prefer this method over others such as pfsense because for me they are easier to configure, and coming from a Cisco background I not only feel more comfortable with it but I can also make it more secure.

Don't get me wrong PFSense (https://www.pfsense.org/) and IP Fire (http://www.ipfire.org/) are great and have a lot of features, but with more functionality means more security vulnerabilities that need to be tightened up. With the ASAv I can control all access via ACL's, and then behind the ASA set up an IPS device in a VM (more on that in another article here: http://blog.sanghera.me.uk/build-your-own-intrusion-prevention-device-ips/) to handle intrusion prevention (using Snort/Suricata).

This guide is especially useful if you have multiple sites, offices and/or locations and you want to establish a site-to-site IPSec VPN with a dedicated server hosted by a company such as OVH (who also sell hosting on their sister sites 'So You Start' and Kimsufi) securely, with encryption. You can therefore have a massive network spanned accross multiple sites to talk securely over a VPN. Cisco engineers or people who want to learn about Cisco ASA (maybe to help you with your CCNA) would really benefit from this too to get a lab up and running.

In my opinion its so much easier to use Cisco ASAv than pfsense. All I had to do was run a few commands and had it running after a few mins. No need for a management vm for the web interface and no issues with internet connectivity going down due to NAT or the manual static routes being lost at reboot, etc...

You will need:

ESXi IP address (Standard IP provided by SYS/OVH)

Failover IP (Get one from the control panel with a SYS/OVH server) <- most dedicated hosting providers provide these.

Example of how to use the Failover IP:

IP of your server : 123.456.789.012
Gateway’s IP is your server’s main IP ending in .254
So the gateway’s IP is: 123.456.789.254
(Taken from http://docs.ovh.ca/en/guides-network-bridging.html)

You need to order a failover IP from the Control Panel of your provider (SoYouStart/OVH in this case). This will incur a setup fee, but the IP itself is free. Then you need to set up a virtual mac address (from the Control Panel. This will be used for the WAN interface as you will need to set the MAC address to manual and input the virtual MAC)

So here's what I did:

1) Deploy ESXi, select the vm network (or create a new port group) and rename it to WAN. Edit the vSwitch, set Promiscous mode to Accept.on the security tab, click Ok, then close the vSwitch0 properties)

2) Create a new vSwitch (No need for an additional NIC, just a vSwitch). Create a port group, call it LAN.

3) Deploy the ASAv OVA (Officially you need vCenter for this, but there are guides out there to do this without it!

Also you will need a license for Cisco ASAv, they're not cheap...or you can do this for Educational purposes if this is for a LAB (HINT :use Google))...

4) Select WAN for network adapter 2 and LAN for network adapter 3 (network adapter 1 for management interface not needed at this time). Now edit the network adapter 2, change the mac to manual and enter the virtual mac address from your OVH/SYS control panel.

5) Power on ASAv, once booted switch to enable mode:
en
Hit enter at the password prompt, then enter Global Configuration mode:
conf t

6) Configure the Outside interface:

int gi0/0
Nameif outside
security-level 0
ip address <your_failover_ip> <your_netmask>
exit

In my case my netmask was 255.255.255.0 as anything else did not work (the provider should send an email with your IP block and Netmask to use).

7) Configure the Inside interface:

int gi0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
(This will be your LAN IP, you can change it for any other private network you want) exit

8) Create a static ARP entry:
arp outside xxx.xxx.xxx.254 00ff.ffff.ffff
(where xxx is the first 3 octets of your failover ip)

e.g arp outside 123.123.123.254 00ff.ffff.ffff

(Thanks to AJ1982 on the ovh forum)

Note: even though you'll get connectivity without this step, you should still do it to prevent excessive broadcasts causing OVH to block your IP.

9) Now create a default route for Internet connectivity:
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.254
(Where xxx is the first 3 octets of your failover ip.254)

e.g route outside 0.0.0.0 0.0.0.0 123.123.123.254

Write the configuration to flash:
wr
Now when you reboot the config will stick.

10) Now if you can ping your ESXi IP as well as ping outside networks (or 8.8.8.8), congratulations you now have a working config.

The ASA will only allow traffic from a higher security level to a lower by default. However, this is a very basic config and you should try to make it more secure with NAT and ACLs. You need to do some further config to secure your firewall (have a look at my other posts).

Now you can set up a site-site IP Sec VPN to connect to your remote sites. You can also further expand this example and create sub interfaces for your 16 failover IP's! This will allow you to set 1:1 NAT mapping with 16 LAN and 16 failover addresses so that you can use them all!

comments powered by Disqus