Install ASAv in KVM (Ubuntu 22.04)

Mar 1, 2023 | Cyber Security, Firewalls

In this tutorial I will show you how to do the basic configuration to deploy ASAv in KVM in Ubuntu 22.04.

There are a few things to take note.

  1. Firstly you need to configure the bridge interfaces in Ubuntu depending on how many interfaces you want to provision in ASAv.
  2. Create a simple script to deploy ASAv qcow2 image in the KVM.
  3. Telnet into the console of the ASAv to start your configuration.

Configure the bridge interface in Ubuntu.

Start by creating the bridge xml files for the interfaces.

Example:

Create a script for virtual bridge 1 for 192.168.55.0/subnet (virbr1.xml)
Create a script for virtual bridge 2 for 192.168.56.0/subnet (virbr2.xml)
Create a script for virtual bridge 3 for 192.168.57.0/subnet (virbr3.xml)

Change the ip address to suit your environment. The mac address must also be changed to suit your environment needs

<network>
<name>virbr1</name>
<bridge name='virbr1' stp='on' delay='0' />
<mac address='52:54:00:05:6e:01' />
<ip address='192.168.55.7' netmask='255.255.255.0' />
</network>
<network>
<name>virbr2</name>
<bridge name='virbr2' stp='on' delay='0' />
<mac address='52:54:00:05:6e:02' />
<ip address='192.168.56.7' netmask='255.255.255.0' />
</network>
<network>
<name>virbr3</name>
<bridge name='virbr3' stp='on' delay='0' />
<mac address='52:54:00:05:6e:03' />
<ip address='192.168.57.7' netmask='255.255.255.0' />
</network>

Using virsh net-define command to create the persistent network

sudo virsh net-define virbr1.xml
sudo virsh net-define virbr2.xml
sudo virsh net-define virbr1.xml

Using virsh net-start and net-autostart command to start the network and auto start even when the system reboots.

sudo virsh net-start virbr1.xml
sudo virsh net-start virbr2.xml
sudo virsh net-start virbr1.xml
sudo virsh net-autostart virbr1.xml
sudo virsh net-autostart virbr2.xml
sudo virsh net-autostart virbr1.xml

You can use virsh net-create command as stated in the Cisco document to create a temporary bridge for testing as well.

Use the brctl show command to verify the networks you created and use the ip address show command to see the ip address assign to the interfaces

Example:

brctl show
ip address show

Create a script using virt-install to deploy the ASAv qcow2 image to the KVM.

You might need to tweak the parameters to suit your environment. We will look at some of those in the youtube video. Create a script asav_install.sh

Example:

Run the installation script.

virt-install --connect=qemu:///system \
--network network=default,model=virtio \
--network network=default,model=virtio \
--network network=default,model=virtio \
--name=asav \
--cpu host \
--arch=x86_64 \
--vcpus=1 \
--ram=2048 \
--osinfo=generic \ 
--virt-type=kvm \
--import \
--disk path=/home/kvmperf/Images/desmo.qcow2,format=qcow2,device=disk,bus=virtio,cache=none \
--disk path=/home/kvmperf/asav_day0.iso,format=iso,device=cdrom \
--console pty,target_type=virtio \
--serial tcp,host=127.0.0.1:16667,mode=bind,protocol=telnet

Verify the VM is running with virsh list –all and then run the script and you will see installation starts. You might need to manually exit this process as KVM is not able to tell if the installation completes.

sh asav_install.sh

You can telnet into the local host port 4554 once the Virtual Machine is running. You should see the ciscoasa> in your telnet session when the deployment completes.

telnet 127.0.0.1 16667

Useful commands

You might want to allow qemu to access the folder that you want to import the qcow2 if it is not in the standard directory that qemu creates the vm.

<user># sudo setfacl -m u:libvirt-qemu:rx /home/<directory to allow access>