OVH Community, your new community space.

[GUIDE]-HOW TO: Use Cisco ASAv (Virtual ASA) instead of pfsense w/ESXI, failover ip!!


harpss1ngh
24-01-2017, 02:25
Quote Originally Posted by AJ1982
Pretty much there, but it may differ per region.

I first setup a pfsense box which gave me some good MAC address info for the arp.. and some slight corrections...

===

arp (real gateway) 00ff.ffff.ffff
route outside 0.0.0.0 0.0.0.0 (real.real.real.254)

NO REFERENCE to any alias IP address, except in the case of the interface configuration.
I built 2 new hosts so used the ASAv again.

I couldn't get it to work with the real server IP gateway, it only worked with the failover IP gateway!

AJ1982
27-11-2015, 11:01
btw cool Blog

AJ1982
27-11-2015, 11:00
Sorry think I made a boo boo...

route outside 0.0.0.0 0.0.0.0 gw.gw.gw.gw
(Where GW is the default gateway of your primary server.
arp outside gw.gw.gw.gw 00ff.ffff.ffff

Not sure about ARP traffic being generated, I only use the firewall in development mode, but the above works a treat, in addition to your instructions.

harpss1ngh
26-11-2015, 13:35
Quote Originally Posted by AJ1982
Pretty much there, but it may differ per region.

I first setup a pfsense box which gave me some good MAC address info for the arp.. and some slight corrections...

===

arp (real gateway) 00ff.ffff.ffff
route outside 0.0.0.0 0.0.0.0 (real.real.real.254)

NO REFERENCE to any alias IP address, except in the case of the interface configuration.
Thanks, I've tested it and it worked fine so updated the OP.

I presume this wouldn't increase the ARP traffic any more than my previous commands did?

harpss1ngh
26-11-2015, 11:46
Finally my blog is up now btw!!! Restored it from scratch as it died a while back

harpss1ngh
06-11-2015, 15:57
Quote Originally Posted by AJ1982
Really good guide, just needed a couple of commands changing around.

New to OVH and really liking it too, looking forward to seeing your blog.
Thanks for the feedback, I'll give that a whirl and edit the OP

AJ1982
06-11-2015, 15:50
Quote Originally Posted by harpss1ngh
I wrote that guide as fast as I configured my ASAv, so it works and tried and tested. WIll double check again
Really good guide, just needed a couple of commands changing around.

New to OVH and really liking it too, looking forward to seeing your blog.

harpss1ngh
06-11-2015, 15:46
Quote Originally Posted by AJ1982
Pretty much there, but it may differ per region.

I first setup a pfsense box which gave me some good MAC address info for the arp.. and some slight corrections...

===

arp (real gateway) 00ff.ffff.ffff
route outside 0.0.0.0 0.0.0.0 (real.real.real.254)

NO REFERENCE to any alias IP address, except in the case of the interface configuration.
I wrote that guide as fast as I configured my ASAv, so it works and tried and tested. WIll double check again

harpss1ngh
06-11-2015, 15:44
Almost forgot about my blog, it's still down and I forgot to bring it online

AJ1982
06-11-2015, 15:38
Pretty much there, but it may differ per region.

I first setup a pfsense box which gave me some good MAC address info for the arp.. and some slight corrections...

===

arp (real gateway) 00ff.ffff.ffff
route outside 0.0.0.0 0.0.0.0 (real.real.real.254)

NO REFERENCE to any alias IP address, except in the case of the interface configuration.

harpss1ngh
23-10-2015, 11:56
This guide is very useful for people with remote sites who want to establish a site-to-site IPSec VPN with their SYS or OVH server securely (to have a massive network between the two sites to talk securely over a VPN) but would prefer a Cisco device over pfsense (which is a great product but requires a vm installed with a web gui to configure whereas you can configure this via the console in 5 mins).
Cisco engineers or people who want to learn about Cisco ASA (maybe to help you with your CCNA) would really benefit from this too to get a lab up and running.

Please see my blog where I have a detailed guide on how to set up a Cisco ASAv (I will be adding a detailed version of this guide here shortly, also the site is down temporarily so wait about 24 hours after this post

My blog: blog.sanghera.me.uk (Currently down, please wait 24 hours)

In my opinion its so much easier to use Cisco ASAv than pfsense. All I had to do was run a few commands and had it running after a few mins. No need for vm and no issues with internet connectivity going down due to NAT or the manual static routes being lost at reboot, etc...

You will need:

ESXi IP address (Standard IP provided by SYS/OVH)
Failover IP (Get one from the control panel with a SYS/OVH server)


So here's what I did:

1) Deploy ESXi, select the vm network (or create a new port group) and rename it to WAN. Edit the vSwitch, set Promiscous mode to Accept.on the security tab, click Ok, then close the vSwitch0 properties)


2) Create a new vSwitch (No need for an additional NIC, just a vSwitch). Create a port group, call it LAN.


3) Deploy the ASAv OVA (Officially you need vCenter for this, but there are guides out there to do this without it! I will post a better guide on my blog site for more info. Also you will need a license for Cisco ASAv, they're not cheap...or you can do this for Educational purposes if this is for a LAB (HINT :use Google))...Select WAN for network adapter 2 and LAN for network adapter 3 (network adapter 1 for management interface not needed at this time). Now edit the network adapter 2, change the mac to manual and enter the virtual mac address from your OVH/SYS control panel (this is covered on this forum already).

4) Power on ASAv, once booted switch to enable mode (type in "en" or "enable" at the ciscoasa> prompt). Hit enter at the password prompt

5) Enter configure mode (conf t)

6) Type in "int gi0/0", hit enter. Type "nameif outside", hit enter. Type "security-level 0", hit enter. Type "ip address 255.255.255.0.

7) Type in "int gi0/1", hit enter. Type "nameif inside", hit enter. Type "security-level 100", hit enter. Type "ip address 192.168.1.1 255.255.255.0" (This will be your LAN IP, you can change it for any other private network)

8) Now type in "arp outside "
(where xxx is the first 3 octets of your failover ip)

e.g arp outside 123.123.123.253 00ff.ffff.ffff

(Thanks to AJ1982)

9) Now type in route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.254
(Where xxx is the first 3 octets of your failover ip.254)

e.g route outside 0.0.0.0 0.0.0.0 123.123.123.254

type "wr" (or "write", "copy run start", etc..). Now when you reboot the config will stick.

10) Now if you can ping your ESXi IP as well as ping outside networks (or 8.8.8.8), congratulations you now have a working config.

But WAIT: This is a very basic config and is not secure, you need to do some further config to secure your firewall. And also you still need an IP Sec VPN to connect to your remote sites. You can also further expand this example and create sub interfaces for your 16 failover IP's! This will allow you to set 1:1 mapping with 16 LAN addresses so that you can use them all! I will add more guides to my blog to show how to do this.
For examples on how to do just that, see my blog above.

Feel free to leave comments here or in my blog (when it's up)

I hope this helps someone!

Thanks



EDIT: blog is up now!!