In this article, I’ll install Cisco ASA Firewall in EVE-NG. Cisco ASA Firewall comes with Hardware and Virtual platforms. You can achieve the almost same functionality on a virtual firewall. So, it will be a great idea to deploy and learn the Cisco ASA on virtual platforms such as VMWare Workstation, KVM. EVE is a great network simulator that will enhance your network learning. EVE-NG supports KVM installation on it. Therefore, we can install a Cisco ASAv firewall on it. So, let’s start!
Download and Install EVE-NG on VMWare Workstation / ESXi
First, you need to set up the VMWare Workstation on your machine. VMWare Workstation comes with 30 days trial, after the trial, you need to purchase it. VMWare Workstation lets you run virtual machines just like physical machines. You can download the VMWare Workstation and install it on your machine. It is also a cross-platform software, you can install it on Windows, Linux. In case, if you are using VMWare ESXi, please check the guide EVE-NG Configuration on VMWare ESXi.
EVE-NG comes with both commercial and community editions. You need to pay for the commercial version of EVE-NG. However, the community edition of EVE-NG is free. You can simply download EVE-NG ISO and OVF template. If you are new to eve-ng, I recommend you to download EVE-NG OVF and go through eve-ng initial configuration on VMWare. In case you have hardware just for EVE-NG, you can download the ISO file and install it.
Once, you have installed the EVE-NG on VMWare Workstation, it will look like the below image!
Image Source: EVE-NG
Download Virtual Cisco ASA Firewall for EVE-NG
You must need a Cisco ASAv image to deploy it on EVE-NG. I recommend you download it from Cisco Software. Once you have the ASAv image, we can proceed with the next configuration. To download and install Cisco ASAv Image you must have Cisco One ID. Just visit the Cisco Software, and navigate to ASA Images. Make sure, you download the qcow2 image file. You may refer to the below image.
Image Source: Cisco
Uploading the Cisco ASAv Image to EVE-NG
Finally, you need to upload the Cisco ASAv image on EVE-NG. It can be done in many ways such as HTTP, HTTPS, FTP, and FTPS. I recommend installing a web server on your machine and just moving the file to the webserver directory. Alternatively, you can use FileZilla or WinSCP to upload the file into EVE-NG.
I have already a Cisco ASA Firewall Image and a web server. First, I’ll move the ASA image to the webserver directory.
[simterm]$ sudo mv asav981-7.qcow2 /var/www/html/eve/[/simterm]
Now, access the EVE-NG SSH using your SSH client. You will need the IP address of the EVE-NG Server. In my case, the IP address of EVE-NG is 192.168.180.12.
[simterm]$ ssh root@172.16.240.134
The authenticity of host ‘172.16.240.134 (172.16.240.134)’ can’t be established.
ECDSA key fingerprint is SHA256:qzXwhQLYb/cRd94MXvVbHZIl63FZ/leFRUh7RH35y4I.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
##red##Warning: Permanently added ‘172.16.240.134’ (ECDSA) to the list of known hosts.
root@172.16.240.134’s password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.20.17-eve-ng-ukms+ x86_64)
*Documentation: https://help.ubuntu.com
*Management: https://landscape.canonical.com
*Support: https://ubuntu.com/advantage
Last login: Tue Jun 8 08:10:56 2021
##red##root@eve-ng:~#[/simterm]
Further, you need to create a directory under /opt/unetlab/addons/qemu/.
[simterm]root@eve-ng:~# mkdir /opt/unetlab/addons/qemu/asav-981-7[/simterm]
Now, we need to change the current directory to /opt/unetlab/addons/qemu/asav-981-7/ using change directory.
[simterm]root@eve-ng:~# cd /opt/unetlab/addons/qemu/asav-981-7/[/simterm]
Upload the Cisco ASAv Image to the EVE-NG using wget. The wget package is already installed in the eve-ng machine.
[simterm]$ wget http://172.16.240.1/eve/asav981-7.qcow2
–2021-06-08 08:42:30– http://172.16.240.1/eve/asav981-7.qcow2
Connecting to 172.16.240.1:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 105709568 (101M)
Saving to: ‘asav981-7.qcow2’
asav981-7.qcow2 100%[======================================================>] 100.81M 11.7MB/s in 8.5s
2021-06-08 08:42:38 (11.8 MB/s) – ‘asav981-7.qcow2’ saved [105709568/105709568][/simterm]
Configuring Cisco ASAv on EVE-NG
Are you following me? We have done almost. Now, we need to rename it as per the eve-ng requirement. You can rename it by executing the below command?
[simterm]$ mv asav981-7.qcow2 virtioa.qcow2[/simterm]
By default, Cisco ASA will use the vnc console. However, it telnet console is preferable! You will need a libguestfs-tools package for this.
Navigate the current directory to /opt/unetlab/addons/qemu/asav-981-7/ and execute the below commands.
[simterm]$ cd /opt/unetlab/addons/qemu/asav-981-7/
guestfish -a virtioa.qcow2[/simterm]
Now, wait for the time until you will get the below screen.
[simterm]Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell
<fs> run[/simterm]
Now, you need to execute the below commands in the same window.
[simterm]mount /dev/sda2 /
touch /use_ttyS0
umount /
exit[/simterm]
We have done the ASAv Firewall installation successfully. Open the EVE-NG using a web browser and create a LAB. Right-click on the blank area and select the Node. Now, search for asav, You will find Cisco ASAv is available under Nodes and ready to configure.
Initial Management Interface configuration of Cisco ASAv Firewall
After the Cisco ASA deployment on eve-ng, we need to configure the management interface. Access the telnet console of Cisco ASA and configure the management interface.
Although, you can connect the Cisco ASAv appliance with your machine using a cloud node. You just need to connect it with the default management cloud.
[simterm]ciscoasa#configure terminal
ciscoasa(config)#interface management 0/0
ciscoasa(config-if)#ip address dhcp
ciscoasa(config-if)#nameif mgmt
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#no shutdown[/simterm]
Well, the management is considered a secure interface, thus we assigned 100 security levels! For more details, I recommend you go through the Cisco ASA section.
Questions
Question: What is the default username and password of the EVE-NG console?
Answer: Username root, Password eve.
Question: What is the default username and password of EVE-NG GUI?
Answer: Username admin, Password eve.
Related Articles
- Cisco ASA Firewall – Hairpin or U-turn NAT
- Configure Cisco ASA Firewall for ASDM Access
- Enable Telnet and SSH access to the Cisco ASA Firewall
- Cisco ASA: Security Levels and Zones Explained
- How to configure Static Routes on Cisco ASA Firewall
Conclusion
Hey! We have configured Cisco ASA Firewall in the eve-ng network simulator. First, we downloaded and installed VMWare Workstation, and then we install eve-ng on it. We imported the Cisco ASA image on EVE-NG using the wget program. Finally, we enable the telnet console for Cisco ASA Firewall. Cisco ASA Virtual Firewall provides almost the same functionally same as hardware model. Even, you can configure it in High-Availability. You will also have support for IPSec, SSL VPN.
In case you are having an issue while configuring Cisco ASA in EVE-NG, just comment in the comment box! Please share it on social platforms and shows us some love!