Terraform module to deploy Cisco Adaptive Security Virtual Appliance (ASAv) on Google Cloud Platform (GCP) for remote access IPSec/SSL VPN clients.
The ASAv runs the same software as physical Cisco ASAs and can be deployed in the public GCP cloud Project. It can then be configured as a VPN concentrator to connect to the private cloud workloads, or can be used for IPSec site-to-site, etc.
The ASAv in this module requires a minimum of 3 interfaces. The module will deploy the ASAv in GCP with 3 interfaces and minimal configuration.
This module will:
enable mode
and admin
password to be used to deploy the Cisco ASAv instance if the passwords are not set.These sections describe prerequisites for using this module.
Make sure three VPCs are available or created prior to deploy the ASAv. The VPCs network requires 3 subnets for:
The Google Terraform Network Module can be used to provision a project with the necessary VPC Networks and Subnets.
Until you license the ASAv, it will run in degraded mode, which allows only 100 connections and throughput of 100 Kbps. You can activate the license anytime See Smart Software Licensing for the ASAv.
Functional examples are included in the examples directory, check it for further information.
Warning If you use username and password for the deployment, the secret data will be stored in the raw state as plain-text and the secret can be displayed in console output. I recommend using an encrypted password as explain in basic_example_2
Limitation ASA CLI will not allow more than 512 chars input on a single line, therefore If the public key is longer than 2048 bits, you can not use the variable ssh_key
to enter the public key in day0 configuration because it is too long. If you do so, the module will create the ASA, with admin_password
but ssh_key authentication
won't work and you will see this error in the ASAv serial console :
Input line size exceeded available buffer (511 characters). First 511 chars of the line:
ssh authentication publickey
Alternatively:
The following is a sample configuration for a username "admin":
username admin attributes ssh authentication publickey <PUBLIC_KEY>
hashed
tagusername admin attributes ssh authentication publickey <PUBLIC_KEY_HASHED> hashed
Basic usage of this module is as follows :
module "ciscoasav" { source = "gehoumi/ciscoasav-vm/google" name = "cisco-asav-1" project_id = "my-project" subnetwork_names = { mgmt = "my-vpc-mgmt-subnet-01-us-central1" inside = "my-vpc-inside-subnet-01-us-central1" outside = "my-vpc-outside-subnet-01-us-central1" } }
As explain in basic_example_1, you can search for the newly created secret in the console or use the commands in terraform output
to retrieve the ASA admin password. Something
similar to the following:
$ gcloud secrets versions access latest --secret=<asa_hostname>-admin-password --project=<my-projec>
This section assumes that you have Cisco AnyConnect Secure Mobility Client downloaded and installed on your local Windows workstation.
output
IP address asa_external_outside_ip
"Untrusted VPN Server Blocked!"
this is normal in the because the SSL certificate is untrusted. Simply select Connect AnywayBlock connections to untrusted servers
A project with the following APIs enabled must be used to host the
resources of this module:
compute.googleapis.com
secretmanager.googleapis.com
This module use the default service account to create ASAv instance, and create an admin account for admin user or for any automation tools who need access the ASAv.
The external SSH access to ASA management Public IP is protected by firewall rules. By default the firewall rule allow access only from the deployment workstation public IP, but you can override it with variable or hardcoded value if necessary.
Name | Version |
---|---|
terraform | >=0.13.0 |
>= 3.43, < 5.0 |
Name | Version |
---|---|
4.53.1 | |
http | 3.2.1 |
Name | Source | Version |
---|---|---|
admin_password | ./modules/secrets | n/a |
enable_password | ./modules/secrets | n/a |
Name | Type |
---|---|
google_compute_address.public_static_ip_mgmt | resource |
google_compute_address.public_static_ip_outside | resource |
google_compute_firewall.asav_deployment_tcp_https | resource |
google_compute_firewall.vpc_outside_ingress_allow_https | resource |
google_compute_instance.asav_vm | resource |
google_compute_default_service_account.default | data source |
google_compute_subnetwork.inside | data source |
google_compute_subnetwork.mgmt | data source |
google_compute_subnetwork.outside | data source |
http_http.workstation_public_ip | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
admin_password | ASAv administrator password | string |
null |
no |
admin_username | ASAv administrator username. Default is admin | string |
"admin" |
no |
disk_labels | Labels to be assigned to boot disk, provided as a map | map(string) |
{} |
no |
disk_size_gb | Boot disk size in GB | string |
"10" |
no |
disk_type | Boot disk type | string |
"pd-standard" |
no |
enable_password | The ASAv enable password | string |
null |
no |
gcp_private_supernet_cidr | The GCP private internal supernet that should be accessible by the remote anyconnect VPN clients | string |
"10.0.0.0/8" |
no |
labels | Key-value map of labels to assign to the ASAv instance | map(string) |
{} |
no |
machine_type | Instance type for the ASAv instance | string |
"n2-standard-4" |
no |
name | The hostname to assign to the Cisco ASAv | string |
"ciscoasav-1" |
no |
project_id | The ID of the Project to which the resources belong | string |
n/a | yes |
public_ip_whitelist_mgmt_access | List of Public IP address to that need to manage ASAv instance. Default is your workstation public IP | list(string) |
null |
no |
public_static_ips | The existing public static IPs to use on the ASAv mgmt and outside interfaces. By default this module create one if undefined. | object({ |
null |
no |
region | The region to construct the ASAv resources in | string |
"us-central1" |
no |
scopes | n/a | list(string) |
[ |
no |
service_account_email | Email of Service Account for running instance. Default is to use google managed default service account | string |
null |
no |
smart_account_registration_token | The Smart Account registration token ID to activate the license | string |
"" |
no |
source_image | Image of the ASAv which is to be used in the project. GCP public URL image for cisco asav https://www.googleapis.com/compute/v1/projects/cisco-public/global/images/cisco-asav-9-xy-z For more details regarding available cisco asav versions in the GCP, please run the following command: gcloud compute images list --filter="name ~ .*cisco-asav-.*" --project cisco-public The module has been tested with the following ASA version, other versions may or may not work correctly. Example: "cisco-asav-9-15-1-15" "cisco-asav-9-16-1-28" "cisco-asav-9-17-1" "cisco-asav-9-18-1" |
string |
"cisco-asav-9-19-1" |
no |
ssh_key | The SSH public key to use to login to the instance. The maximum keysize is 2048 bits because ASA CLI will not allow more than 512 chars input on a single line. Enter only the part without spaces e.g AAAAB3NzaC1yc2EAAAAD.... |
string |
"" |
no |
subnetwork_names | The name of the required subnetworks, The subnetworks must below to the VPC management, inside and outside. | object({ |
null |
no |
throughput_level | The throughput level based on the instance size, the maximum supported vCPUs is 16 | map(string) |
{ |
no |
vpc_project | The Host Project name where the VPC are created. if not provide the module use to 'project_id | string |
null |
no |
vpn_pool_cidr | The VPN Pool CIDR network to assign the remote anyconnect VPN clients | string |
"10.100.0.0/24" |
no |
vpn_pool_reserve_end_ip | The number of IPs to be reserved from the end of VPN pool. Default is not to reserve anything from the end | number |
-2 |
no |
vpn_pool_reserve_start_ip | The number of IPs to be reserved from the start of VPN pool. Default is not to reserve anything from start IP | number |
1 |
no |
zone | The zone to construct the ASAv resources in | string |
"us-central1-a" |
no |
Name | Description |
---|---|
admin_password | ASAv administrator password |
asa_external_mgmt_ip | address value create for external mgmt access |
asa_external_outside_ip | address value create for external outside |
hostname | Host name of the ASAv |
workstation_public_ip | Public IP of the workstation where to run the module |
Owner
Contributors
Categories
Programming Languages
HCLLicense
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community