Jump to content
daveguy2004

Virtual Security ESXi LAB

Recommended Posts

Hi UldisD,

 

Have you tried importing that ASA v9.15 that someone posted the files for in a workstation version into your ESXi successfully? I've tried everything with no success. When I import it, the ASA boots up but there are no interfaces when I do a 'sh int ip brief' .....it works fine in workstation, but I want to use it in ESXi...

 

Thanks,

Share this post


Link to post
Share on other sites

take any official vASA from cisco, 9.22 or 9.3 ova both works perfectly on esxi. Crack provided here beat these vASA licence. Maybe vcentre would be need for deploy new cisco images.

but i confirm that works.

Share this post


Link to post
Share on other sites

Hello, based on the following :

Hidden Content

    Give reaction to this post to see the hidden content.
, it would appear that vASA is very limiting (even with crack keys). Is that assumption correct ? Is anyone using that for labbing ?

 

Dont really want to take the GNS route due to instability of the launching multiple Qemu based VM's.

 

I did try the Daveguy's ASA 8.4(2) OVA/OVF for esxi 5.5 and it works really well. However kind of bumped that it only has a single interface (yes, I know I can use sub interfaces etc), however would like to see something which can support multiple interfaces in an esxi 5.5 environment.

 

Any assistance would be appreciated.

 

Cheers.

Share this post


Link to post
Share on other sites

Hello, based on the following :

Hidden Content

    Give reaction to this post to see the hidden content.
, it would appear that vASA is very limiting (even with crack keys). Is that assumption correct ? Is anyone using that for labbing ?

 

Dont really want to take the GNS route due to instability of the launching multiple Qemu based VM's.

 

I did try the Daveguy's ASA 8.4(2) OVA/OVF for esxi 5.5 and it works really well. However kind of bumped that it only has a single interface (yes, I know I can use sub interfaces etc), however would like to see something which can support multiple interfaces in an esxi 5.5 environment.

 

Any assistance would be appreciated.

 

Cheers.

 

but this asa suppots multiple interfaces as well.

more in the esxi you can use newest vASA 9.3.1 and up to 8 ports on it.

Works pretty well, I use it in even production. ESXi 5.5.

Dave used ASA 8.4.2 version what supports as well more interfaces.

Share this post


Link to post
Share on other sites

Thank for the response.

 

Basically, I wanted to review the CCIE - Sec v4 video's from vendors and labbing at the same time. So FW functionality, HA , Multi-Context and VPN (AnyConnect+s2s etc) are some of the important features to test.

 

Based on the above, would you recommend to stick with vASA 9.3.1 ? Use 2 of them for HA ?

 

I didn't understand your last statement "Dave used ASA 8.4.2 version what supports as well more interfaces." Is there any other esxi compatible version which one can use for 8.4(2) with multiple interfaces ?

Share this post


Link to post
Share on other sites

Hello, based on the following :

Hidden Content

    Give reaction to this post to see the hidden content.
, it would appear that vASA is very limiting (even with crack keys). Is that assumption correct ? Is anyone using that for labbing ?

 

Dont really want to take the GNS route due to instability of the launching multiple Qemu based VM's.

 

I did try the Daveguy's ASA 8.4(2) OVA/OVF for esxi 5.5 and it works really well. However kind of bumped that it only has a single interface (yes, I know I can use sub interfaces etc), however would like to see something which can support multiple interfaces in an esxi 5.5 environment.

 

Any assistance would be appreciated.

 

Cheers.

 

You're thinking about the ASA 1000V... this is a severely limited ASA meant for multitenant VM environments. Much of its functionality is disabled. UldisD is talking about the ASAv. The ASAv is a completely different appliance with almost all functionality of a real physical ASA appliance.

 

Cisco just EOL'd the ASA 1000V because the ASAv supercedes it in every way.

 

And UldisD is correct.. the 8.4(2) image provided by DaveGuy supports multiple interfaces... I've used up to 8 of them without any difficulties.

 

U:H

Share this post


Link to post
Share on other sites

@ U:H

 

Thanks. I really didnt realize that they were two different products....ASA 1000v | ASAv.

 

That's very good news, that they have much of the same functionality. I was about to test the HA and multi-context followed by VPN. The ASAv should suffice for those ? I assume one can do HA with some tweaks for the keys etc ?

 

After playing and editing the file in vmware, confirm that Dave's 8.4(2) works, was able to test Active/Standby, however the traffic wont pass via the secondary device. Likely a limitation of the image itself. I then tried ASAv921 and was able to replicate Active/Stanby and can confirm that the traffic passing via the secondary device. So far, ASAv921 looks really good, one limitation being that of Active/Active in a multi-context mode. Any good virtual solutions for those ?

Edited by alifliala
  • Like 1

Share this post


Link to post
Share on other sites

Need some assistance.

 

My nested esxi host is connected with a physical 3750. As soon I turn on the IOU for the Sec lab, within a minute or so, my physical host becomes unreachable.

 

The 3750 reports that esxi interface as :-

 

GigabitEthernetX/0/XX is down, line protocol is down (err-disabled).

 

Based on

Hidden Content

    Give reaction to this post to see the hidden content.
I had enabled bpdu for the IOU VM in the nested esxi.

In addition, I had disabled promiscuous mode for the physical host as well.

 

Any recommendations ?

Edited by alifliala

Share this post


Link to post
Share on other sites

Hi.

Can any one help me out with IPS lab. Currently I am only doing IPS labs in VMware 10 with forty-two-forty image. How to use Cisco IME with VMware so that I can have GUI of IPS to configure engine and to tune signature. I have 2 lan card on my PC.

Kindly help me.

Thanks

Share this post


Link to post
Share on other sites

lab is nice but missing few devices that we need for complete CCIE-security exam . I did build a complete lab on my gns3. but alas i cant test the complete (ie starting all the devices nodes at same time ) it as i have only 8gb of ram and quadcore machine AMD Machine right now :cry:

Share this post


Link to post
Share on other sites

lab is nice but missing few devices that we need for complete CCIE-security exam . I did build a complete lab on my gns3. but alas i cant test the complete (ie starting all the devices nodes at same time ) it as i have only 8gb of ram and quadcore machine AMD Machine right now :cry:

not true...missed devices are connected as clouds.they are: wsa, ise, acs, wlc, ad....and AMD pc i afraid that cannot run unl.intel vtx needed.

Share this post


Link to post
Share on other sites

Hi.

Can any one help me out with IPS lab. Currently I am only doing IPS labs in VMware 10 with forty-two-forty image. How to use Cisco IME with VMware so that I can have GUI of IPS to configure engine and to tune signature. I have 2 lan card on my PC.

Kindly help me.

Thanks

what a problem?

Share this post


Link to post
Share on other sites

@ U:H

 

Thanks. I really didnt realize that they were two different products....ASA 1000v | ASAv.

 

That's very good news, that they have much of the same functionality. I was about to test the HA and multi-context followed by VPN. The ASAv should suffice for those ? I assume one can do HA with some tweaks for the keys etc ?

 

After playing and editing the file in vmware, confirm that Dave's 8.4(2) works, was able to test Active/Standby, however the traffic wont pass via the secondary device. Likely a limitation of the image itself. I then tried ASAv921 and was able to replicate Active/Stanby and can confirm that the traffic passing via the secondary device. So far, ASAv921 looks really good, one limitation being that of Active/Active in a multi-context mode. Any good virtual solutions for those ?

no,official cisco announce that ASAv does not support act/act or multicontext.

Share this post


Link to post
Share on other sites

Hi,

 

Two small question.

 

When I set up routing between IOL and ASA the protocol flaps. It doesn't matter if it is OSPF or EIGRP.

Is this a known issue (IOU or IOS), or is this something I can "tune" away?

I would really like to have routing work.

 

 

Traffic goes from a L3 adv 15.3 IOL, through a L2 IOL ipbase 15.1 image, and to the ASA 8.4 (or 9.1, did some testing)

 

 

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.5 (Ethernet0/0.10) is down: holding time expired

R2#

%DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 172.16.10.5 (Ethernet0/0.10) is up: new adjacency

R2#

%OSPF-5-ADJCHG: Process 100, Nbr 172.16.5.1 on Ethernet0/0.5 from FULL to DOWN, Neighbor Down: Dead timer expired

R2#

%OSPF-5-ADJCHG: Process 100, Nbr 172.16.5.1 on Ethernet0/0.5 from LOADING to FULL, Loading Done

 

 

Thx

Edited by OzzieO

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...