Deploy the ASA Virtual on Oracle Cloud Infrastructure

You can deploy the ASA virtual on the Oracle Cloud Infrastructure (OCI).

Overview

OCI is a public cloud computing service that enables you to run your applications in a highly-available, hosted environment offered by Oracle.

The ASA virtual runs the same software as physical ASA virtuals to deliver proven security functionality in a virtual form factor. The ASA virtual can be deployed in the public OCI. It can then be configured to protect virtual and physical data center workloads that expand, contract, or shift their location over time.

OCI Compute Shapes

A shape is a template that determines the number of CPUs, amount of memory, and other resources that are allocated to an instance. The ASA virtual supports the following Standard – General purpose OCI shape types:

Table 1. Supported Compute Shapes for ASA Virtual

OCI Shape

Supported ASAv Version

Attributes

Interfaces

oCPUs

RAM (GB)

Intel VM.DenseIO2.8

9.19 and later

8

120

Minimum 4, Maximum 8

Intel VM.StandardB1.4

9.19 and later

4

48

Minimum 4, Maximum 4

Intel VM.StandardB1.8

9.19 and later

4

96

Minimum 4, Maximum 8

Intel VM.Standard1.4

9.19 and later

4

28

Minimum 4, Maximum 4

Intel VM.Standard1.8

9.19 and later

8

56

Minimum 4, Maximum 8

Intel VM.Standard2.4

9.15, 9.16, 9.17, 9.18, 9.19, 9.20, 9.21, and 9.22 and later

4

60

Minimum 4, Maximum 4

IntelVM.Standard2.8

9.15, 9.16, 9.17, 9.18, 9.19, 9.20, 9.21, and 9.22 and later

8

120

Minimum 4, Maximum 8

Intel VM.Standard3.Flex

9.19 and later

4

16

Minimum 4, Maximum 4

9.19 and later

6

24

Minimum 4, Maximum 6

9.19 and later

8

32

Minimum 4, Maximum 8

Intel VM.Optimized3.Flex

9.19 and later

4

16

Minimum 4, Maximum 8

9.19 and later

6

24

Minimum 4, Maximum 10

9.19 and later

8

32

Minimum 4, Maximum 10

AMD VM.Standard.E4.Flex

9.19 and later

4

16

Minimum 4, Maximum 4

9.19 and later

6

24

Minimum 4, Maximum 6

9.19 and later

8

32

Minimum 4, Maximum 8

  • The ASA virtual requires a minimum of 3 interfaces.

  • In OCI, 1 oCPU is equal to 2 vCPUs.

  • The maximum supported vCPUs is 16 (8 oCPUs).

Recommendations for using the OCI Compute shapes supported by version ASA virtual 9.19 and later.

  • OCI marketplace image version 9.19.1-v3 and later are compatible only with the OCI compute shapes of ASA virtual 9.19 and later.

  • You can use the OCI compute shapes supported by ASA virtual 9.19 and later only for new deployments.

  • OCI compute shapes version 9.19.1-v3 and later are not compatible with upgrading VMs that are deployed with ASA virtual using the OCI compute shape versions earlier to ASA virtual 9.19.

  • The billing will continue for the VM.DenseIO2.8 compute shape subscription, even after you shut down the instance. For more information, see OCI Documentation.

You create an account on OCI, launch a compute instance using the Cisco ASA virtual firewall (ASA virtual) offering on the Oracle Cloud Marketplace, and choose an OCI shape.

Prerequisites

  • Create an account on https://www.oracle.com/cloud/sign-in.html.

  • License the ASA virtual. Until you license the ASA virtual, it will run in degraded mode, which allows only 100 connections and throughput of 100 Kbps. See Licenses: Smart Software Licensing .


    Note


    All the default License entitlement offered by Cisco, previously for ASA Virtual will have the IPv6 configuration support.


  • Interface requirements:

    • Management interface

    • Inside and outside interfaces

    • (Optional) Additional subnet (DMZ)

  • Communications paths:

    • Management interface—Used to connect the ASA virtual to the ASDM; can’t be used for through traffic.

    • Inside interface (required)—Used to connect the ASA virtual to inside hosts.

    • Outside interface (required)—Used to connect the ASA virtual to the public network.

    • DMZ interface (optional)—Used to connect the ASA virtual to the DMZ network.

  • For ASA virtual system requirements, see Cisco Secure Firewall ASA Compatibility.

Guidelines and Limitations

Supported Features

The ASA virtual on OCI supports the following features:

  • Deployment in the OCI Virtual Cloud Network (VCN)

  • Maximum of 16 vCPUs (8 oCPUs) per instance

  • Routed mode (default)

  • Licensing – Only BYOL is supported

  • Single Root I/O Virtualization (SR-IOV) is supported

  • IPv6

Performance Tiers for ASA virtual Smart Licensing

The ASA virtual supports performance-tiered licensing that provides different throughput levels and VPN connection limits based on deployment requirements.

Performance Tier

Instance Type (Core/RAM)

Rate Limit

RA VPN Session Limit

ASAv5

VM.Standard2.4

4 core/60 GB

100 Mbps

50

ASAv10

VM.Standard2.4

4 core/60 GB

1 Gbps

250

ASAv30

VM.Standard2.4

4 core/60 GB

2 Gbps

750

ASAv50

VM.Standard2.8

8 core/120 GB

NA

10,000

ASAv100

VM.Standard2.8

8 core/120 GB

NA

20,000

Unsupported Features

The ASA virtual on OCI does not support the following:

  • ASA virtual native HA

  • Transparent/inline/passive modes

  • Multi-context mode

Limitations

  • ASA virtual deployment on OCI does not support Mellanox 5 as vNICs in the SR-IOV mode.

  • OCI supports only the dual stack mode (IPv4 and IPv6) configuration, and standalone IPv6 configuration is not supported in a Virtual Private Network (VPN).

  • Separate routing rules required for ASAv for both static and DHCPconfiguration.

Sample Network Topology

The following figure shows the recommended network topology for the ASA virtual in Routed Firewall Mode with 3 subnets configured in OCI for the ASA virtual (management, inside, and outside).

Figure 1. Sample ASA Virtual on OCI Deployment

ASA Virtual IPv6 Deployment Topology

Deploy the ASA Virtual

The following procedures describe how to prepare your OCI environment and launch the ASA virtual instance. You log into the OCI portal, search the OCI Marketplace for the Cisco ASA virtual firewall (ASA virtual) offering, and launch the compute instance. After launching the ASA virtual, you must configure route tables to direct traffic to the firewall depending on the traffic’s source and destination.

Create the Virtual Cloud Network (VCN)

You configure the Virtual Cloud Network (VCN) for your ASA virtual deployment. At a minimum, you need three VCNs, one for each interface of the ASA virtual.

You can continue with the following procedures to complete the Management VCN. Then you return to Networking to create VCNs for the inside and outside interfaces.

Before you begin


Note


After you select a service from the navigation menu, the menu on the left includes the compartments list. Compartments help you organize resources to make it easier to control access to them. Your root compartment is created for you by Oracle when your tenancy is provisioned. An administrator can create more compartments in the root compartment and then add the access rules to control which users can see and take action in them. See the Oracle document “Managing Compartments” for more information.


Procedure


Step 1

Log into OCI and choose your region.

OCI is divided into multiple regions that are isolated from each other. The region is displayed in the upper right corner of your screen. Resources in one region do not appear in another region. Check periodically to make sure you are in the intended region.

Step 2

Choose Networking > Virtual Cloud Networks and click Create Virtual Cloud Networks.

Step 3

Enter a descriptive Name for your VCN, for example ASAvManagement.

Step 4

Enter a CIDR block for your VCN.

  1. An IPv4 CIDR block of IP addresses. CIDR (Classless Inter-Domain Routing) notation is a compact representation of an IP address and its associated routing prefix. For example, 10.0.0.0/24.

    Note

     

    Use DNS hostnames in this VCN.

  2. Select the Assign an Oracle allocated IPv6 /56 check box to add a single Oracle assigned IPv6 address to your VCN.

Step 5

Click Create VCN.


Create the Network Security Group

A network security group consists of a set of vNICs and a set of security rules that apply to those vNICs.

Procedure

Step 1

Choose Networking > Virtual Cloud Networks > Virtual Cloud Network Details > Network Security Groups, and click Create Network Security Group.

Step 2

Enter a descriptive Name for your Network Security Group, for example ASAv-Mgmt-Allow-22-443.

Step 3

Click Next.

Step 4

Add your security rules:

  1. Add a rule to allow TCP port 22 for SSH Access to ASA virtual console.

  2. Add a rule to allow TCP port 443 for HTTPS Access to ASDM.

    The ASA virtual can be managed via ASDM, which requires port 443 to be opened for HTTPS connections.

Step 5

Click Create.


Create the Internet Gateway

An Internet gateway is required to make your management subnet publicly accessible.

Procedure

Step 1

Choose Networking > Virtual Cloud Networks > Virtual Cloud Network Details > Internet Gateways, and click Create Internet Gateway.

Step 2

Enter a descriptive Name for your Internet gateway, for example, ASAv-IG.

Step 3

Click Create Internet Gateway.

Step 4

Add the route to the Internet Gateway:

  1. Choose Networking > Virtual Cloud Networks > Virtual Cloud Network Details > Route Tables.

  2. Click on the link for your default route table to add route rules.

  3. Click Add Route Rules.

  4. From the Target Type drop-down, select Internet Gateway.

  5. Enter the Destination IPv4 CIDR Block, for example 0.0.0.0/0.

  6. Enter the Destination IPv6 CIDR Block, For example, [::/0].

  7. From the Target Internet Gateway drop-down, select the gateway you created.

  8. Click Add Route Rules.


Create the Subnet

Each VCN will have one subnet, at a minimum. You’ll create a Management subnet for the Management VCN. You’ll also need an Inside subnet for the Inside VCN, and an Outside subnet for the Outside VCN.

Procedure

Step 1

Choose Networking > Virtual Cloud Networks > Virtual Cloud Network Details > Subnets, and click Create Subnet.

Step 2

Enter a descriptive Name for your subnet, for example, Management.

Step 3

Select a Subnet Type (leave the recommended default of Regional).

Step 4

Enter a CIDR Block, for example 10.10.0.0/24. The internal (non-public) IP address for the subnet is taken from this CIDR block.

Step 5

Check the Assign an Oracle allocated IPv6 /56 prefix check box.

A unique IPv6 address is generated, where you must manually enter the last two hexadecimal digits. However, the IPv6 prefix in subnet is always fixed to /64.

Step 6

Select one of the route tables you created previously from the Route Table drop-down.

Step 7

Select the Subnet Access for your subnet.

For the Management subnet, this must be Public Subnet.

Step 8

Select the DHCP Option.

Step 9

Select a Security List that you created previously.

Step 10

Click Create Subnet.


What to do next

After you configure your VCNs (Management, Inside, Outside) you are ready to launch the ASA virtual. See the following figure for an example of the ASA virtual VCN configuration.

Figure 2. ASA Virtual Cloud Networks
Configure IPv6 Gateway Address Using Cloud Shell

In OCI, each subnet has a unique IPv6 gateway address which you must configure in ASAv for IPv6 traffic to work. This gateway address is retrieved from the subnet details running an OCI command in the cloud shell.

Procedure

Step 1

Go to OCI > Open CloudShell (OCI Cloud Terminal) .

Step 2

Execute following command to get the IPv6 details from the subnet:

oci network subnet get –subnet_id <subnet_OCID>

Step 3

From the command result find the ipv6-virtual-router-ip key.

Step 4

Copy the value of this key and use it as required.


Create the ASA Virtual Instance on OCI

You deploy the ASA virtual on OCI via a Compute instance using the Cisco ASA virtual firewall (ASA virtual) offering on the Oracle Cloud Marketplace. You select the most appropriate machine shape based on characteristics such as the number of CPUs, amount of memory, and network resources.

Procedure


Step 1

Log into the OCI portal.

The region is displayed in the upper right corner of your screen. Make sure you are in the intended region.

Step 2

Choose Marketplace > Applications.

Step 3

Search Marketplace for “Cisco ASA virtual firewall (ASAv)” and choose the offering.

Step 4

Review the Terms and Conditions, and check the I have reviewed and accept the Oracle Terms of Use and the Partner terms and conditions.check box.

Step 5

Click Launch Instance.

Step 6

Enter a descriptive Name for your instance, for example, ASAv-9-15.

Step 7

Click Change Shape and select the shape with the number of oCPUs, the amount of RAM, and the number of interfaces required for the ASA virtual; for example, VM.Standard2.4 (see Table 1).

Step 8

From the Virtual Cloud Network drop-down, choose the Management VCN.

Step 9

From the Subnet drop-down, choose the Management subnet if it's not autopopulated.

Step 10

Check Use Network Security Groups to Control Traffic and choose the security group you configured for the Management VCN.

Step 11

Click the Assign a Public Ip Address radio button.

Step 12

Under Add SSH keys, click the Paste Public Keys radio button and paste the SSH key.

Linux-based instances use an SSH key pair instead of a password to authenticate remote users. A key pair consists of a private key and public key. You keep the private key on your computer and provide the public key when you create an instance. See Managing Key Pairs on Linux Instances for guidelines.

Step 13

Click the Show Advanced Options link to expand the options.

Step 14

(Optional) Under Initialization Script, click the Paste Cloud-Init Script radio button to provide a day0 configuration for the ASA virtual. The day0 configuration is applied when the ASA virtual is launched.

The following example shows a sample day0 configuration you can copy and paste in the Cloud-Init Script field:

See the ASA Configuration Guides and the ASA Command Reference for complete information on the ASA commands.

Important

 

When you copy text from this example, you should validate the script in a third-party text editor or validation engine to prevent format errors and remove invalid Unicode characters.


!ASA Version 9.18.1
interface management0/0
management-only
nameif management
security-level 100
ip address dhcp setroute
ipv6 enable
ipv6 address dhcp default
no shut
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
crypto key generate rsa modulus 2048
ssh 0 0 management
ssh ::/0 management
 
ssh timeout 60
ssh version 2
username admin nopassword privilege 15
username admin attributes
service-type admin
http server enable
http 0 0 management
aaa authentication ssh console LOCAL

Step 15

Click Create.


What to do next

Monitor the ASA virtual instance, which shows the state as Provisioning after you click the Create button.


Important


It’s important to monitor the status. As soon as the ASA virtual instance goes from Provisioning to Running state you need to attach the VNICs as required before the ASA virtual boot completes.


Attach the Interfaces

The ASA virtual enters the Running state with one VNIC attached (see Compute > Instances > Instance Details > Attached VNICs). This is referred to as the Primary VNIC, and maps to the Management VCN. Before the ASA virtual completes the first boot, you need to attach the VNICs for the other VCN subnets you created previously (inside, outside) so that the VNICs are correctly detected on ASA virtual.

Procedure


Step 1

Select your newly launched ASA virtual instance.

Step 2

Choose Attached VNICs > Create VNIC.

Step 3

Enter a descriptive Name for your VNIC, for example Inside.

Step 4

Select the VCN from the Virtual Cloud Network drop-down.

Step 5

Select your subnet from the Subnet drop-down.

Step 6

Check Use Network Security Groups to Control Traffic and choose the security group you configured for the selected VCN.

Step 7

Check Skip Source Destination Check Network Security Groups to Control Traffic.

Step 8

(Optional) Specify a Private IP Address. This is only required if you want to choose a particular IP for the VNIC.

If you do not specify an IP, OCI will assign an IP address from the CIDR block you assigned to the subnet.

If you are configuring IPv6 address, then select and assign unique IPv6 address to each interface.

Step 9

Click Save Changes to create the VNIC.

Step 10

Repeat this procedure for each VNIC your deployment requires.


Add Route Rules for the Attached VNICs

Add route table rules to the inside and outside route tables.

Procedure


Step 1

Choose Networking > Virtual Cloud Networks > and click the default route table associated with the VCN (inside or outside).

Step 2

Click Add Route Rules.

Step 3

From the Target Type drop-down, select Private IP.

Step 4

From the Destination Type drop-down, select CIDR Block.

Step 5

Enter the Destination IPv4 CIDR Block, for example, 0.0.0.0/0.

Step 6

Enter the Destination IPv6 CIDR Block, for example, [::/0].

Step 7

Enter the private IP address of the VNIC in the Target Selection field.

If you did not explicitly assign an IP address to the VNIC, you can find the auto-assigned IP address from the VNIC details (Compute > Instances > Instance Details > Attached VNICs).

Step 8

Click Add Route Rules.

Step 9

Repeat this procedure for each VNIC your deployment requires.

Note

 

Separate routing rules required for ASA Virtual (Static and DHCP) configuration.

ipv6 route <interface_name> <interface_subnet_CIDR> <ipv6_virtual_router_ip>


Example

  • ipv6 route inside 2603:c020:5:5800::/64 fe80::200:17ff:fe96:921b

  • ipv6 route outside 2603:c020:6:ba00::/64 fe80::200:17ff:fe21:748c

Access the ASA Virtual Instance on OCI

You can connect to a running instance by using a Secure Shell (SSH) connection.

  • Most UNIX-style systems include an SSH client by default.

  • Windows 10 and Windows Server 2019 systems should include the OpenSSH client, which you'll need if you created your instance using the SSH keys generated by Oracle Cloud Infrastructure.

  • For other Windows versions you can download PuTTY, the free SSH client from http://www.putty.org.

Prerequisites

You'll need the following information to connect to the instance:

  • The public IP address of the instance. You can get the address from the Instance Details page in the Console. Open the navigation menu. Under Core Infrastructure, go to Compute and click Instances. Then, select your instance. Alternatively, you can use the Core Services API ListVnicAttachments and GetVnic operations.

  • The username and password of your instance.

  • The full path to the private key portion of the SSH key pair that you used when you launched the instance. For more information about key pairs, see Managing Key Pairs on Linux Instances.


Note


You can log in to the ASA virtual instance using the credentials specified in the day0 configuration, or by using the SSH key pair you created during the instance launch.


Connect to the ASA Virtual Instance Using SSH

To connect to the ASA virtual instance from a Unix-style system, log in to the instance using SSH.

Procedure


Step 1

Use the following command to set the file permissions so that only you can read the file:

$ chmod 400 <private_key>

Where:

<private_key> is the full path and name of the file that contains the private key associated with the instance you want to access.

Step 2

Use the following SSH command to access the instance.

$ ssh –i <private_key> <username>@<public-ip-address>

Where:

<private_key> is the full path and name of the file that contains the private key associated with the instance you want to access.

<username> is the username for the ASA virtual instance.

<public-ip-address> is your instance IP address that you retrieved from the Console.

<ipv6-address> is your instance management interface IPv6 address.


Connect to the ASA Virtual Instance Using OpenSSH

To connect to the ASA virtual instance from a Windows system, log in to the instance using OpenSSH.

Procedure


Step 1

If this is the first time you are using this key pair, you must set the file permissions so that only you can read the file.

Do the following:

  1. In Windows Explorer, navigate to the private key file, right-click the file, and then click Properties.

  2. On the Security tab, click Advanced.

  3. Ensure that the Owner is your user account.

  4. Click Disable Inheritance, and then select Convert inherited permissions into explicit permissions on this object.

  5. Select each permission entry that is not your user account and click Remove.

  6. Ensure that the access permission for your user account is Full control.

  7. Save your changes.

Step 2

To connect to the instance, open Windows PowerShell and run the following command:

$ ssh –i <private_key> <username>@<public-ip-address>

Where:

<private_key> is the full path and name of the file that contains the private key associated with the instance you want to access.

<username> is the username for the ASA virtual instance.

<public-ip-address> is your instance IP address that you retrieved from the Console.


Connect to the ASA Virtual Instance Using PuTTY

To connect to the ASA virtual instance from a Windows system using PuTTY:

Procedure


Step 1

Open PuTTY.

Step 2

In the Category pane, select Session and enter the following:

  • Host Name (or IP address):

    <username>@<public-ip-address>

    Where:

    <username> is the username for the ASA virtual instance.

    <public-ip-address> is your instance public IP address that you retrieved from the Console.

  • Port: 22

  • Connection type: SSH

Step 3

In the Category pane, expand Window, and then select Translation.

Step 4

In the Remote character set drop-down list, select UTF-8.

The default locale setting on Linux-based instances is UTF-8, and this configures PuTTY to use the same locale.

Step 5

In the Category pane, expand Connection, expand SSH, and then click Auth.

Step 6

Click Browse, and then select your private key.

Step 7

Click Open to start the session.

If this is your first time connecting to the instance, you might see a message that the server's host key is not cached in the registry. Click Yes to continue the connection.


Troubleshooting

Problem SSH—ASA Virtual with IPv6 is not working

  • Solution Verify if the route for ::/0 via Internet Gateway is present in the VPC Route Table.

  • Solution Verify if the Port 22 is allowed in the security Group associated with the Management Subnet or Interface.

  • Solution Verify via IPv4 SSH session whether Management interface is configured with IPv6 address.

  • Solution Check for "ssh config" in the ASA Virtual and all required config is provided as part of day0 or configured later.

Problem East-West traffic not working.

  • Solution Verify in the EC2 > Instance > Networking, whether “Change source/destination check” is stopped.

  • Solution Verify routes are properly configured on Inside/Outside Linux.

  • Solution Add the proper routes in ASA Virtual in case of manual IPv6 addressing.

  • Solution Check ”show asp drop” for any packet drops and act accordingly.