- ASAv
https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.3
There may be newer releases out, but this has been built with 9.18(3) using the VMWare Package.
asav9-18-3.zip
- Cisco AnyConnect Bundle
https://software.cisco.com/download/home/286281283/type/282364313/release/4.10.07062
As above there may be newer releases out, but you really need to download the webdeploy.pkg
file but the predeploy.zip
is handy as then you have the MSI installers
anyconnect-win-4.10.07062-predeploy-k9.zip
anyconnect-win-4.10.07062-webdeploy-k9.pkg
Files included in the gist
day0-config - This is the custom config file that is put into day0.iso
genday1iso.sh - Script to regenerate day0.iso with day0-config and then update asav-esxi.mf with the new sha1 hash of the iso file
Username/Passwords included in the image.
The enable password is ciscoasa
ciscoasa/ciscoasa - Level 15 admin
testuser/anotherlongpassword - Standard remote VPN only access user
- Unzip
asav9-18-3.zip
and add the 2 files in the gist to the same folder. - Optionally update the
day0-config
with the IP addressing you want if it isn't right. - Run
genday0iso.sh
to generate newday0.iso
that should overwrite existingday0.iso
and updateasav-esxi.mf
with the new SHA1 hash. - Deploy
asav-esxi.ovf
into VMWare Workstation 16 or higher or ESXi 6 or 7, had issues with ESXi 8 so YMMV. - Remove all but 3 network adapters, as you don't need all of them.
- Before powering on configure networking.
- Network Adapter 1 = Management - 192.168.252.10/24 - Management interface to configure ASA
- Network Adapter 2 = Inside - 192.168.10.1/24 - Inside network
- Network Adapter 3 = Outside - 192.168.28.10/24 - Outside / Internet network
- Default route on outside via 192.168.28.2
When running on VMWare Workstation assign Network 1 & 2 to Host Only, and Network 3 to NAT for internet access
- Power on VM and wait 2-3 mins for it to configure itself and boot. You can issue commands from here or via SSH.
- Setup a desktop on Management Network 1 - 192.168.252.x/24 to be able to ssh to 192.168.252.10. You should be able to ping it first.
- SCP copy across the webdeploy package
scp anyconnect-win-4.10.07062-webdeploy-k9.pkg ciscoasa@192.168.252.10:
- SSH to the ASAv and run the post deploy setup commands as shown below. The username, password and enable password are all
ciscoasa
.
- SCP copy across the webdeploy package
login as: ciscoasa
ciscoasa@192.168.252.10's password: ciscoasa
User ciscoasa logged in to ciscoasa
Logins over the last 1 days: 1.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password: ciscoasa
ciscoasa# config term
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.10.07062-webdeploy-k9.pkg 1
ciscoasa(config-webvpn)# svc enable
ciscoasa(config-webvpn)# exit
ciscoasa(config)# exit
ciscoasa#
The reason why this needs to be done is the webdeploy package needs to be uploaded after the image has been deployed for SSL VPN to work.
Now the ASAv is setup and ready to accept a SSL VPN session.
- Connect client workstation with AnyConnect client installed onto the Network 3 on the 192.168.28.x/24 network
- Assuming you have already installed the AnyConnect client MSI then attempt to connect to the ASAv from AnyConnect to
192.168.28.10
. This will most likely give you an error about not being allowed to connect to untrusted connections. On the client side main screen, select the cog down the bottom left, under VPN -> Preferences and untick the "Block connections to untrusted servers" checkbox and try again.