ASAv as home firewall - No Traffic

that1guy15 · July 16, 2015, 10:30:54 AM

My home router died the other night and I had to scramble to get something in place. Instead of dragging down to Best Buy and getting a crappy d-link or netgear I thought I would virtualize it on my ESX server.

So my first go was with the Cisco ASAv and everything went good except I can not communicate with the internet from anything but the firewall. All my devices pull IP addresses and the ASA receives a public IP address. The firewall can ping anywhere fine.

There is nothing special on this firewall just a basic NAT and inside outside interfaces.

I ran a packet tracer to troubleshoot and everything is allowed except the last line is: "DROP reason security-profile-not-used"

Im not sure what is going on here. Any help or insight would be greatly appreciated.

deanwebb · July 16, 2015, 10:35:40 AM

What happens when you change that last line to ALLOW?

SimonV · July 16, 2015, 10:36:18 AM

Someone here had the exact same issue: https://supportforums.cisco.com/discussion/11612151/ask-expert-cisco-asa-1000v-cloud-firewall

By the way - been thinking of doing this myself with the vSRX. Plug modem into separate VLAN, get public IP on virtual appliance and done.

that1guy15 · July 16, 2015, 11:31:33 AM

I do remember running into that one the other night. So it pretty much looks like you cant run the ASAv standalone and must have VNMC or Prime whatever they call it now.

But then how are all these people getting ASAv up and running in workstation and such? I have to be missing something.

wintermute000 · July 16, 2015, 08:19:24 PM

WTF!! Good to know. But Looks like the minimum requirement is vcenter?

Here's a workaround but requires a license
https://damn.technology/cisco-asav-esxi-standalone

If still struggling can I suggest try a vSRX? THey work perfectly and no licensing is involved.
Or failing that just run up a Vyatta.

that1guy15 · July 17, 2015, 08:36:43 AM

Quote from: wintermute000 on July 16, 2015, 08:19:24 PM
WTF!! Good to know. But Looks like the minimum requirement is vcenter?

Here's a workaround but requires a license
https://damn.technology/cisco-asav-esxi-standalone

If still struggling can I suggest try a vSRX? THey work perfectly and no licensing is involved.
Or failing that just run up a Vyatta.

Yeah Im running vSphere...

Ill try hitting up my SE for a license. Ill try re-installing as well.

Ill report back.

Thanks guys.

DanC · July 17, 2015, 08:54:48 AM

I wouldn't bother with ASAv, there's an OVA knocking about on the interwebs which is basically ASA 9.2 code that's been ported to run on ESXi. I lab with it all the time, works a treat!

routerdork · July 17, 2015, 10:38:11 AM

Quote from: DanC on July 17, 2015, 08:54:48 AM
I wouldn't bother with ASAv, there's an OVA knocking about on the interwebs which is basically ASA 9.2 code that's been ported to run on ESXi. I lab with it all the time, works a treat!

Excellent! I'll have to look for this. I listed up all my hardware on Craig's List to go full virtual minus a switch or two for QoS stuff.

wintermute000 · July 17, 2015, 05:06:53 PM

Dan can you link it?

Sent from my SM-G920I using Tapatalk

LynK · July 21, 2015, 09:44:47 AM

I want to see the document dan.

DanC · August 14, 2015, 05:27:55 AM

Sorry guys, forgot all about this... It's version 9.1(5) - PM me if you want me to link you