This guide is very useful for people with remote sites who want to establish a site-to-site IPSec VPN with their SYS or OVH server securely (to have a massive network between the two sites to talk securely over a VPN) but would prefer a Cisco device over pfsense (which is a great product but requires a vm installed with a web gui to configure whereas you can configure this via the console in 5 mins).
Cisco engineers or people who want to learn about Cisco ASA (maybe to help you with your CCNA) would really benefit from this too to get a lab up and running.
Please see my blog where I have a detailed guide on how to set up a Cisco ASAv (I will be adding a detailed version of this guide here shortly, also the site is down temporarily so wait about 24 hours after this post
My blog:
blog.sanghera.me.uk (Currently down, please wait 24 hours)
In my opinion its so much easier to use Cisco ASAv than pfsense. All I had to do was run a few commands and had it running after a few mins. No need for vm and no issues with internet connectivity going down due to NAT or the manual static routes being lost at reboot, etc...
You will need:
ESXi IP address (Standard IP provided by SYS/OVH)
Failover IP (Get one from the control panel with a SYS/OVH server)
So here's what I did:
1) Deploy ESXi, select the vm network (or create a new port group) and rename it to WAN. Edit the vSwitch, set Promiscous mode to Accept.on the security tab, click Ok, then close the vSwitch0 properties)
2) Create a new vSwitch (No need for an additional NIC, just a vSwitch). Create a port group, call it LAN.
3) Deploy the ASAv OVA (Officially you need vCenter for this, but there are guides out there to do this without it! I will post a better guide on my blog site for more info. Also you will need a license for Cisco ASAv, they're not cheap...or you can do this for Educational purposes if this is for a LAB (HINT :use Google))...Select WAN for network adapter 2 and LAN for network adapter 3 (network adapter 1 for management interface not needed at this time). Now edit the network adapter 2, change the mac to manual and enter the virtual mac address from your OVH/SYS control panel (this is covered on this forum already).
4) Power on ASAv, once booted switch to enable mode (type in "en" or "enable" at the ciscoasa> prompt). Hit enter at the password prompt
5) Enter configure mode (conf t)
6) Type in "int gi0/0", hit enter. Type "nameif outside", hit enter. Type "security-level 0", hit enter. Type "ip address
255.255.255.0.
7) Type in "int gi0/1", hit enter. Type "nameif inside", hit enter. Type "security-level 100", hit enter. Type "ip address 192.168.1.1 255.255.255.0" (This will be your LAN IP, you can change it for any other private network)
8) Now type in "arp outside "
(where xxx is the first 3 octets of your failover ip)
e.g arp outside 123.123.123.253 00ff.ffff.ffff
(Thanks to AJ1982)
9) Now type in route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.254
(Where xxx is the first 3 octets of your failover ip.254)
e.g route outside 0.0.0.0 0.0.0.0 123.123.123.254
type "wr" (or "write", "copy run start", etc..). Now when you reboot the config will stick.
10) Now if you can ping your ESXi IP as well as ping outside networks (or 8.8.8.8), congratulations you now have a working config.
But WAIT: This is a very basic config and is not secure, you need to do some further config to secure your firewall. And also you still need an IP Sec VPN to connect to your remote sites. You can also further expand this example and create sub interfaces for your 16 failover IP's! This will allow you to set 1:1 mapping with 16 LAN addresses so that you can use them all! I will add more guides to my blog to show how to do this.
For examples on how to do just that, see my blog above.
Feel free to leave comments here or in my blog (when it's up)
I hope this helps someone!
Thanks
EDIT: blog is up now!!