Deploy the ASA Virtual On the Alibaba Cloud

The Cisco Adaptive Security Appliance Virtual runs the same software as physical Cisco ASAs to deliver proven security functionality in a virtual form factor. You can deploy and configure the ASA Virtual in the public Alibaba cloud to protect virtual and physical data center workloads. The ASA Virtual can expand, contract, or shift their location over time.


Important

Beginning with 9.13(1), You can use any ASA Virtual license on any supported ASA Virtual vCPU/memory configuration. The ASA Virtual license allows ASA Virtual customers to run on a wide variety of VM resource footprints. This ASA Virtual license also increases the number of supported Alibaba instances types.

Overview

Alibaba Supported Instance Types

The ASA Virtual support the following Alibaba instance types.


Note

ASA virtual needs a minimum of three interfaces (ENIs) and a maximum of four interfaces to support an instance.

Network Requirement

  • Create one VPC with a minimum of one Vswitch (Subnet) for basic ASA Virtual support.

  • Vswitch must be available in the same zone in which instance is being deployed, otherwise, you have to create it.

Related Documentation

For more information on instance types and their configuration, see Alibaba Cloud

Prerequisites

  • Create an account on https://www.alibabacloud.com/.

  • Download the ASA Virtual qcow2 file from Cisco.com and put it on your Linux host:

    http://www.cisco.com/go/asa-software


    Note

    A Cisco.com login and Cisco service contract are required.

  • License the ASA Virtual. Until you license the ASA Virtual, it runs in degraded mode, which allows only 100 connections and throughput of 100 Kbps. See Licensing for the ASA Virtual.

  • Interface requirements:

    • Management interface

    • Inside and outside interfaces

  • Communications paths:

    • Management interface—Used to connect the ASA Virtual to the ASDM; can't be used for through traffic.

    • Inside interface (required)—Used to connect the ASA Virtual to inside hosts.

    • Outside interface (required)—Used to connect the ASA Virtual to the public network.

  • For ASA Virtual system requirements, see Cisco ASA Compatibility.

Guidelines and Limitations

Supported Features

The ASA Virtual on Alibaba supports the following features:

  • QCOW2 Image package

  • Basic Product Bringup

  • Day-0 Configuration

  • SSH using Public Key or Password

  • Alibaba UI Console to access ASA Virtual for any debugging purpose.

  • Alibaba UI Stop/Restart

  • Instance Type Supported: ecs.g5ne.large, ecs.g5ne.xlarge, ecs.g5ne.2xlarge, and ecs.g5ne.4xlarge

  • BYOL License Support

Unsupported Features

The ASA Virtual on Alibaba does not support the following in version 7.2:

  • High Availability functionality

  • Autoscale

  • IPv6

  • SR-IOV

Limitations

  • East-West Traffic in the same VPC is not supported in Alibaba as subnet level routing is not allowed.

  • Transparent, inline, and passive modes are not currently supported.

  • It is recommended to use the network enhanced instance specification family g5ne to deploy ASA Virtual applications.

  • Jumbo Frames is not supported as its availability is limited to few instance types from Alibaba.

Related Documentation

For more information, see Alibaba Cloud.

Deploy the ASA Virtual

Ensure that the image of the ASA Virtual that you plan to deploy is appearing on the Image Configuration.

Procedure

Step 1

Log into https://www.alibabacloud.com/ and choose your region.

Note

 

Alibaba is divided into multiple regions that are isolated from each other. The region is displayed in the upper right corner of your screen. Resources in one region do not appear in another region. Check periodically to make sure you’re in the intended region.

Step 2

Create Custom Virtualized Image

Alibaba supports QCOW2 image only.

  1. Go to Object Storage Service (OSS), then create a bucket and do the following:

    Bucket names must be globally unique within your Alibaba project.

    1. Upload QCOW2 image from local directory to Alibaba bucket.

    2. From the left Navigation pane, click Buckets > ASA Virtualbucket > Upload

    3. Choose Private as ACL and copy the OSS Object address mentioned in the object details after the upload is completed successfully.

    4. Paste the OSS object address of custom image from the bucket.

    5. Choose Linux as OS and Others Linux as variant type.

    6. Choose x86_64 as System Architecture.

    7. Choose Image format as QCOW2.

    8. Choose license type as BYOL.

  2. Create an instance from the para-virtualized image from the previous step.

    1. From the left side Navigation pane, click Images > Custom Image > Actions > Create Instance

Step 3

Create Instance from Custom Image

  1. Go to the Elastic Compute Service > Create Instance and select the following:

    1. Billing Method: Pay-As-You-Go

    2. Region: As per requirement.

    3. Instance Type: ecs.g5ne.large / ecs.g5ne.xlarge /ecs.g5ne.2xlarge /ecs.g5ne.4xlarge

    4. Quantity: As required.

    5. Image: Custom image created in the previous section.

    6. System Disk: 20GB as the minimum value.

  2. To proceed further, select the following:

    1. VPC: VPC in which ASA Virtual will be deployed.

    2. Vswitch: Subnet of the Primary Interface.

    3. Assign Public IPv4 Address: It’s required to connect via SSH (If not selected, then the ASA Virtual can only be accessed via Console connection of Alibaba from UI).

    4. Security Group: Choose the appropriate Security Group.

    5. Interfaces: Primary interface belongs to the subnet chosen in step 2. An instance can be deployed with two interfaces and the rest can be attached after deployment.

  3. Move to the next section and do the following.

    1. Key-Pair: For key-based login, generate a key-pair if not done already. You can also access the instance with a password.

    2. Instance-name: Name of instance as suitable.

    3. Day-0 (User Data): Provide the Day0 configuration as per the requirement (Don’t choose 64 base encoded).

      Sample Day 0 Configuration - 

      
! ASA Version 9.x! required config start
interface management0/0
management-only
nameif management
security-level 100
ip address dhcp
no shut
!
crypto key generate rsa modulus 2048 noconfirm
ssh 0 0 management
ssh timeout 60
ssh version 2
username admin nopassword privilege 15
username admin attributes
service-type admin
aaa authentication ssh console LOCAL
! required config end

  4. Accept the Terms of Service and Create the Instance.

Step 4

Click Launch Instance to deploy your ASA Virtual.

Performance Tuning

VPN Optimization

The Alibaba c5 instances offer much higher performance than the older c3, c4, and m4 instances. The approximate RA VPN throughput (DTLS using 450B TCP traffic with AES-CBC encryption) on the c5 instance family should be:

  • 0.5Gbps on c5.large

  • 1Gbps on c5.xlarge

  • 2Gbps on c5.2xlarge

  • 4Gbps on c5.4xlarge