Learning Cisco Adaptive Security Virtual Appliance (ASAv) by using
GNS3 and VMWare Workstation Player (PART 1)
ဒီေန႕ IT နည္းပညာ ေလာကၾကီးမွာ သမရိုးက် Physical Devices ေတြအစား ပိုၿပီး ျမန္ဆန္၊ စားရိတ္သက္သာ စြာ အသံုးျပဳႏိုင္တဲ့ Cloud သို႕ SDM (Software Define Networking) ကို ေန႕စဥ္နဲ႕ အမွ် အစားထိုးအသံုး ျပဳလာၾကတာကိုေတြ႕ရမွာပါ။ IT နည္းပညာ လိုက္စားသူေတြအေနနဲ႕ System ပဲျဖစ္ျဖစ္ Network/Security ပဲျဖစ္ျဖစ္ ဘာပဲေလ့လာေလ့လာ ဒီ Virtualized Appliance ေတြ Server ကိုေတာ့ မလြဲမေသြ ေတြ႕ၾကံဳရလာမွာ ပဲ ျဖစ္ပါတယ္။ ဒီ Guide မွာေတာ့ ယေန႕ Networking ေလာကရဲ့ မွာ အေအာင္ျမင္ဆံုး Cisco ရဲ႕ Next Generation နည္းပညာထဲ က တစ္ခုအပါအ၀င္ျဖစ္တဲ့ Cisco Adaptive Security Virtual Appliance (ASAv) အေၾကာင္း အေျခခံ ေလး ေရးသားမွ်ေ၀လိုက္ပါတယ္။
Cisco ASA vs Cisco ASAv
Cisco ASAv ဆိုတာ Physical ASA appliance ေတြျဖစ္တဲ့ ASA 5500-X-Series Firewalls ေတြကို အေျခခံၿပီး ထြက္လာတဲ့ Virtualized Network Security Appliance ပဲျဖစ္ပါတယ္။ ပိုၿပီး ျပည့္စံုေအာင္ မူရင္းအတိုင္း ေအာ္မွာ ေဖာ္ျပထားပါတယ္။
The Adaptive Security Virtual Appliance is a virtualized network security solution based on the market-leading Cisco ASA 5500-X Series firewalls. It supports both traditional and next-generation software-defined network (SDN) and Cisco Application Centric Infrastructure (ACI) environments to provide policy enforcement and threat inspection across heterogeneous multisite environments.
The Adaptive Security Virtual Appliance is a virtualized network security solution based on the market-leading Cisco ASA 5500-X Series firewalls. It supports both traditional and next-generation software-defined network (SDN) and Cisco Application Centric Infrastructure (ACI) environments to provide policy enforcement and threat inspection across heterogeneous multisite environments.
CCNA, CCNP R&S ၿပီးတာနဲ႕ ေနာက္ဆက္တြဲ ဆက္လက္ ေလ့လာဖို႕အတြက္ ဒီ သခၤန္းစာေလးကို ေရးသား မွ်ေ၀လိုက္ပါတယ္။
ASAv မထြက္ခင္ ASA 1000v ဆိုၿပီးထြက္ခဲ့ပါေသးတယ္။ ဒါေပမဲ့ End of Sale/End of Support ျဖစ္သြားၿပီျဖစ္တဲ့ အတြက္ ကၽြန္ေတာ္တို႕ ASAv ကေနပဲ စတင္ေလ့လာဖို႕ အၾကံေပးပါရေစ။
ACI = Application Centric Infrastructure
ဒီစာအုပ္ကို
ASAv version 9.5.2
GNS 3 version 1.5.2 installed on Windows 10 64bit VM ေပၚမွာ အေျခခံၿပီး ေရးသားထားပါတယ္။
GNS3 installation လုပ္ပံုကေတာ့ ေထြေထြထူးထူးမဟုတ္လုိ႕ မေရးေတာ့ပါဘူး။
GNS3 installation လုပ္ပံုကေတာ့ ေထြေထြထူးထူးမဟုတ္လုိ႕ မေရးေတာ့ပါဘူး။
Routing/Switching GNS Lab ေတြကို စမ္းမယ္ဆုိရင္ Physial Server ေတြေပၚမွာ Memory မ်ားမ်ားနဲ႕ စမ္းတာ ပိုၿပီး အဆင္ေျပ ျမန္ဆန္သလို Error ေတြလဲ ကင္းပါတယ္။ ကၽြန္ေတာ္ကေတာ့ ဒီ Guide ကို Self-study လုပ္မဲ့သူေတြအတြက္ ရည္ရြယ္ၿပီးေရးသာတာျဖစ္လုိ႕ သာမန္ PC တစ္လံုးေပၚမွာ Performance ေကာင္းေကာင္းေလးနဲ႕ Run ႏိုင္ဖို႕ တတ္ႏိုင္သမွ် ၾကိဳးစားေရးသားထားပါတယ္။
Cisco ASAv image ကို ွGNS3 QEMU VM, Microsoft VM (.vhdx) ရယ္ VMware VCenter image (ova) ဆိုၿပီး ေပးထားပါတယ္။ ဒီ Guide မွာ GNS3 ကိုပဲ အဓိက အေျခခံၿပီးေရးမွာဆိုေတာ့ ကၽြန္ေတာ္တို႕ QEMU image ကိုပဲ သံုးၿပီး LAB ကုိတည္ေဆာက္ပါ့မယ္။
GNS3 VM
ဒီမွာ ၾကားျဖတ္ေျပာစရာေလး တစ္ခုရွိပါတယ္။ GNS 3 VM ပါ။ Cisco ASAv LAB ကို PC တစ္လံုးေပၚမွာ Error အနည္းဆံုးနဲ႕ Performance ေကာင္းေကာင္း ရေအာင္ Run ဖို႕ ကၽြန္ေတာ္ GNS3 VM ကုိ သံုးပါတယ္။
IOS ေတြကို ယခင္ကလို Physical Resources ေတြမွာ မ Run ဘဲ ဘာလုို႕ GNS3 VM ေပၚမွာ Run လည္းဆိုတာ နားလည္ေအာင္ဖတ္ပါ။ ျမန္မာလိုဘာသာျပန္ရင္ ပိုရႈပ္လို႕ ေအာက္မွာ မူရင္းအတိုင္း ေဖာ္ျပထားပါတယ္။
What is the GNS3 VM?
The GNS3 VM is a Virtual Machine that runs Ubuntu Linux and comes with all installed dependencies in order to run GNS3 labs. The VM is provided starting with version 1.4 of GNS3.
Why use the GNS3 VM?
So why use VM instead of running stuff locally on my computer?
For Linux users, some dependencies are hard to install, like the requirements for IOU –IOS on UNIX (you need specific libraries and 32-bit support).
Using VMware, you can use KVM acceleration for Qemu allowing to run Qemu based appliances with excellent performances on Windows and Mac.
Dynamips and Qemu tend to work a lot better on Linux (less random issues with ASA for example).Full IOU support (you just need the license file + IOU images).
Future version of the VM will include full Docker support. No antivirus getting in the way or firewall inside the VM blocking network traffic.
The VM is isolated from your computer and a lot less likely to break something important.
A virtual machine that GNS3 can use to upload images to and control CPU and memory usage by confining the running image in a single virtual machine instance.
It’s intended for Windows users who want to use more IOS and IOU images that cannot be supported natively in a Windows environment.
အေပၚပိုင္းက GN3 ASAv LAB အတြက္ အေျခခံ ေလးေတြ နားလည္ၿပီဆိုရင္ ဆက္လက္ၿပီး LAB အတြက္လို အပ္တဲ့ software ေတြကို Download လုပ္ၾကရေအာင္။ တတ္ႏိုင္ရင္ တျခား VirutalBox တို႕ဘာတို႕ထက္ Free VMWare Workstation Player ကိုအသံုးျပဳပါလို႕ တိုက္တြန္းပါရေစ။
ASAv Template ျပဳလုပ္ပံုကို https://integratingit.wordpress.com/2016/07/12/configuring-cisco-asav-in-gns3/ ကေနတိုက္ရုိက္ ကူးယူထားပါတယ္။ လုပ္ေနရင္းနဲ႕ error ေလးေတြရွိရင္ တတ္ႏိုင္သမွ် Google ကေနရွာၿပီး ေျဖရွင္းၾကည့္ပါ။ အဲဒီလုိ လုပ္ရင္းနဲ႕ GNS3 ကို ပိုမိုကၽြမ္းက်င္လာသလို GNS3 VM နဲ႕ VMWare Workstation Player အလုပ္လုပ္ပံုေတြကိုပါ ပိုမိုနားလည္လာပါလိမ့္မယ္။
Download the Cisco ASAv hda image file (asav952.qcow2) from the Cisco website.
Legal Warning
Cisco IOS on Unix is a tool intended for internal use only. Distribution of IOU images to customers or external persons, or discussion of IOU with customers or external persons, is prohibited.
Can I be tracked if I'm using IOU?
Potentially, yes.
At startup, Cisco IOU attempts to make an HTTP POST of some XML data to a host at xml.cisco.com. The data includes your (short) hostname (e.g. not the FQDN), the (UNIX) username of the user running IOU, the version of IOU in use, etc.
Do this: # echo '127.42.42.42 xml.cisco.com' >> /etc/hosts or Edit in C:\Windows\System32\drivers\etc\hosts
အားလံုး အဆင္သင့္ျဖစ္ၿပီဆို installation ကိုစလို႕ ရပါၿပီ။ ေအာက္က အဆင့္ကို တဆင့္ခ်င္းစီလုပ္သြားပါ။
Extract the contents of the GNS3 VM zip to a folder
Assuming VMware Workstation Player and VIX is already installed, double click the file and it will prompt to import the Virtual Machine
Once imported there appears to be no configuration required, close the VM for now by selecting “Shutdown” from the menu
Open GNS3 application, click “Help” from the menu bar
Select “Setup Wizard”
Select “Local GNS3 VM”, click Next
Select “VMware (recommended), modify the vCPU and RAM settings if required. Make sure your computer has enough CPU and Memory.
If GNS3 detects the VM previously created it will appear on the list. I manually selected a different drive and folder to import the VM to and I found if the VM is not located the default location of “\Documents\Virtual Machines” that GNS3 will not detect the VM. I moved the VM into the folder GNS3 was expecting the VM to be located in, hit refresh and GNS3 found the VM successfully.
Click Next to continue
The Local GNS3 VM will now automatically start
The VMware Workstation Player application should automatically appear and load the GNS3 VM. You can safely minimize this.
Continue the GNS3 Setup Wizard – Select “Add a Qemu virtual machine”. Click Finish
Select “Server Type” as “Run the Qemu VM on the GNS3 VM”, click Next
Appropriately name the VM eg “ASAv”, click Next
Select the correct Qemu binary from drop down list; select enough memory for the ASAv – 2048MB works. Click Next
Select the “Disk image (hda):” – this is the ASAv qcow2 file previously downloaded. Click Finish
Import is now complete, click Edit to complete the configuration of the ASAv Template
Under the “General Settings” change the “Category” to “Security Devices”
Change the icon by changing the symbol by browsing to the ASA symbol
Change “Console Type” to be “vnc”
Under the “Network” tab within the QEMU VM Configuration
The first interface on an ASAv is the Management Interface, change “First port name” to “Management” or something equivalent.
As default the name format for the remaining interfaces is “Ethernet” this is the label within GNS3 but not within the ASAv – the interfaces are GigabitEthernet. This maybe confusing to some people, regardless I change the “Name Format” to “Gig0/{0}”
On the “Advanced Settings” tab I “Activate CPU throttling” and set 80%
Un-tick “Use as a linked based VM” FOR NOW – we’ll come back to that later
Click Ok to finish configuration of the ASAv Template
Once configuration is now complete the ASAv should appear under “Security Devices” window on the main GNS3 screen
Create a new project and start the ASAv image running.
Wait until the device finishes configuring itself and is at the login prompt
Save the configuration then shutdown the ASAv VM
Modify the configuration of the ASAv Template
Under “Advanced Settings” re-tick the option “Use as a linked base VM” and Shutdown ASAv.
If you want to connect your ASAv with telnet by default. Change
Change “Console Type” to be “telnet”
Now we must change ASAv Template setting as following.
Change NETWORK to “Use the legacy networking mode”
အဲဒါမလုပ္ရင္ အျပင္က NIC ေတြကို Ping မရပါ။
ကဲ ဒီအဆင့္ထိဆိုရင္ေတာ့ ေတာ္ေတာ္ေလး ခရီးေရာက္ပါၿပီ။ ေနာက္ဆံုးအေနနဲ႕ ASAv Template ကို ASDM ကေန Access လုပ္ဖို႕
Management IP ကို Configuration လုပ္ၾကရေအာင္။
ASDM
ASDM (Cisco’s Adaptive Security Device Manager) ဆိုတာ Cisco ASA security appliance ေတြကို Manage လုပ္တဲ့ Standalone GUI Tool တစ္ခုပါ။ ASA တင္မဟုတ္ပဲ အရမ္းၾကီးမားတဲ့ network တစ္ခုလုံး
(ဥပမာ. To manage share policy across multiple ASA’s, routers and IPS appliances) ကို Management လုပ္ခ်င္ရင္ေတာ့ CSM (Cisco Security Manager) ကိုသံုးပါတယ္။
ASDM ကို Windows ေပၚကေန Run မွာ ျဖစ္တဲ့အတြက္ ကၽြန္ေတာ္တို႕ GNS3 ထဲက ASAv Appliance ကို Connect လုပ္ဖို႕ သူ႕ရဲ႕ Local network မွာ အျခား Windows 10 PC တစ္လံုးကို Setup လုပ္ထားရပါမယ္။ ၿပီးရင္ Java version 8 နဲ႕ အထက္ ကိုလည္း တင္ထားေပးပါ။ ASDM က java base application ပါ။
မွတ္ခ်က္။ MS loopback adaptor ကို install လုပ္ၿပီး VMWare NAT NIC card ကို ICS နဲ႕ Share လုပ္ထားပါတယ္။ ၿပီးေတာ့ GNS3 VM ရဲ႕ NIC ကို တစ္ခါျပန္ၿပီး Microsoft Loopback adaptor နဲ႕ ျပန္ Bridge လုပ္ထားပါတယ္။ MS Loopback မသံုးပဲ VMWare NAT နဲ႕ လဲ တိုက္ရိုက္ Internet ကို သြားလို႕ရပါတယ္။ ၾကိဳက္သလုိလုပ္ပါ။ IP setting ေတြမွန္ရင္ၿပီးတာပါပဲ။
ကဲ အားလံုးအဆင္သင့္ျဖစ္ၿပီဆိုရင္ GNS3 ကို Run , ASAv Firewall တစ္လံုးကို စတင္ၿပီး Setup လုပ္ၾကရေအာင္။
GNS3 ASAv Router Template ကို power on လုိက္ပါ။
Enter into privileged Mode
ciscoasa> enable
Verify the firewall available interfaces and status
ciscoasa# sh interface ip brief
Configure a Network Serial Console Port
ciscoasa(config)# cd coredumpinfo
ciscoasa(config)# copy coredump.cfg disk0:/use_ttyS0
ကၽြန္ေတာ္တို႕ G0/1 ကို Internet နဲ႕ ခ်ိတ္ပါမယ္။ G0/0 ကိုေတာ့ Loacl Host Only နဲ႕ခ်ိတ္ပါမယ္။
Wri Mem လုပ္ၿပီး ASAv ကို Shautdown လုပ္လုိက္ပါ။
GNS3\Cloud and Ether Switch ေတြကို ASAv နဲ႕ ခ်ိတ္လိုက္ပါ။
Change Cloud NIC and Icon as necessary. This cloud is for local windows 10 VM.
Connection ေတြအားလံုးခ်ိတ္ၿပီးသြားရင္ ASAv ကို Power On လိုက္ပါ။
Console ကို Telnet ေပးထားတဲ့အတြက္ Telnet windows ကိုေအာက္ပါအတိုင္းျမင္ရပါလိမ့္မယ္။
Ciscoasa# sh int ip bri နဲ႕ Interface ေတြအားလံုးကိုၾကည့္လိုက္ပါ။
IP assign လုပ္ပါတယ္။
VMWare Host Only NIC IP နဲ႕ Windows 10 IP ေတြကို Ping Test လုပ္ပါတယ္။
ASDM နဲ႕ Management လုပ္ဖို႕ Lcoal Network ပိုင္း ျပင္ဆင္မႈကေတာ့ဒါဆို လံုေလာက္ပါၿပီ၊ ရံုးေတြမွာ ဆို Workgroup network ကို Internet မခ်ိတ္ရေသးခင္ Firewall ထိ အေျခခံ ကြန္ယက္ ဆက္သြယ္မႈ ၿပီးၿပီေပါ့ဗ်ာ။ VLAN/Switching ပိုင္းက ေတာ့ သက္သက္ေပါ့။ ခုက ASAv Firewall ပိုင္းဆိုေတာ့ Logically အရ ဒါဆို လံုေလာက္ပါတယ္။ ဆက္ၿပီး Windows 10 ကေန ASDM နဲ႕ Access လုပ္ဖို႕ ျပင္ဆင္ၾကတာေပါ့။
ဒါဆိုရပါၿပီ။ Windows 10 ထဲ ၀င္ၿပီး ASDM နဲ႕ ခ်ိတ္ဖို႕ ဆက္လုပ္ၾကတာေပါ့။
Username နဲ႕ Password ကို ခုခ်ိန္ထိ Blank ပဲထားေသးတဲ့အတြက္ Log in ကိုသာ ႏွိပ္လိုက္ပါ။
dm-launcher.msi file ကို download လုပ္ၿပီး Install လုပ္ပါ။
ကဲ အားလံုး အဆင္သင့္ျဖစ္ပါၿပီ ။ ကၽြန္ေတာ္တို႕ ASAv ကို ခုခ်ိန္က စၿပီး GUI ကေန လိုသလို Configure လုပ္လို႕ရပါၿပီ။
ခုခ်ိန္က စၿပီး ASAv Firewall တစ္ခုလံုး ကၽြန္ေတာ္တို႕ရဲ့ Under Controll ေအာက္ကိုေရာက္ပါၿပီ။ LAB အတြက္ က ဒီအဆင့္ေတြၿပီးေျမာက္ေအာင္ျမင္ဖို႕ ပိုအေရးၾကီးပါတယ္။ ဒါမွ ASA ရဲ့ Theory ေတြ Hands-On Lab ကို ကိုယ္စမ္းခ်င္သလို စမ္း လို႕ရမွာပါ။