published
Run in Cisco Cloud IDE
Github tag
Terraform registry downloads total
My Public profile

Automated Cisco ASAv deployment on GCP with Terraform

Terraform module to deploy Cisco Adaptive Security Virtual Appliance (ASAv) on Google Cloud Platform (GCP) for remote access IPSec/SSL VPN clients.

The ASAv runs the same software as physical Cisco ASAs and can be deployed in the public GCP cloud Project. It can then be configured as a VPN concentrator to connect to the private cloud workloads, or can be used for IPSec site-to-site, etc.

The ASAv in this module requires a minimum of 3 interfaces. The module will deploy the ASAv in GCP with 3 interfaces and minimal configuration.

This module will:

  • Create two external IP addresses for ASAv management and for the public outside network
  • Create two firewall rules to allow SSH and HTTPS access to the ASA management, and to allow HTTPS from anywhere to ASAv outside interface.
  • Fetch the deployment workstation public IP and add it to the IP whitelist for VPC firewall rule for the ASA management access after the deployment.
  • Create a GCE managed instance to host the ASAv, with a startup script that provides the day0 configuration for the ASAv. The day0 configuration is applied during the first boot of the ASAv.
  • Set DHCP IP assignment to all the interfaces in the ASA
  • Nic0 is used to SSH to ASA virtual as it only supports IP forwarding
  • Create passwords with Secret Manager for enable mode and admin password to be used to deploy the Cisco ASAv instance if the passwords are not set.
  • Create a VPN pool in Split tunnel group for remote access VPN clients. You can then use a Cisco AnyConnect Secure Mobility Client to connect to your GCP private Cloud network.
  • Enable SSH on the managment interface in ASA configuration

Prerequisites and System Requirements for the ASAv and GCP

These sections describe prerequisites for using this module.

Interface requirements:

Make sure three VPCs are available or created prior to deploy the ASAv. The VPCs network requires 3 subnets for:

  • Management interface — Used to manage the ASAv (can’t be used for through traffic).
  • Inside interface — Used to connect the ASAv to inside hosts.
  • Outside interface — Used to connect the ASAv to the public network.

The Google Terraform Network Module can be used to provision a project with the necessary VPC Networks and Subnets.

License the ASAv:

Until you license the ASAv, it will run in degraded mode, which allows only 100 connections and throughput of 100 Kbps. You can activate the license anytime See Smart Software Licensing for the ASAv.

Use Case Examples

Functional examples are included in the examples directory, check it for further information.

Warning If you use username and password for the deployment, the secret data will be stored in the raw state as plain-text and the secret can be displayed in console output. I recommend using an encrypted password as explain in basic_example_2

Limitation ASA CLI will not allow more than 512 chars input on a single line, therefore If the public key is longer than 2048 bits, you can not use the variable ssh_key to enter the public key in day0 configuration because it is too long. If you do so, the module will create the ASA, with admin_password but ssh_key authentication won't work and you will see this error in the ASAv serial console :

Input line size exceeded available buffer (511 characters). First 511 chars of the line:
  ssh authentication publickey

Alternatively:

  • you can add your public key after the deployment in CLI, because the IOS got around the single line by using multi-line input for the key.

The following is a sample configuration for a username "admin":

username admin attributes
  ssh authentication publickey <PUBLIC_KEY>
  • you can also edit the day0 configuration to add your publickey hashed and append the hashed tag
username admin attributes
  ssh authentication publickey <PUBLIC_KEY_HASHED> hashed

Usage

Basic usage of this module is as follows :

module "ciscoasav" {
  source         = "gehoumi/ciscoasav-vm/google"

  name           = "cisco-asav-1"
  project_id     = "my-project"

  subnetwork_names = {
    mgmt    = "my-vpc-mgmt-subnet-01-us-central1"
    inside  = "my-vpc-inside-subnet-01-us-central1"
    outside = "my-vpc-outside-subnet-01-us-central1"
  }

}

SSH access

As explain in basic_example_1, you can search for the newly created secret in the console or use the commands in terraform output to retrieve the ASA admin password. Something
similar to the following:

$ gcloud secrets versions access latest --secret=<asa_hostname>-admin-password --project=<my-projec>

Connect to VPN with Cisco AnyConnect Secure Mobility Client

This section assumes that you have Cisco AnyConnect Secure Mobility Client downloaded and installed on your local Windows workstation.

  • Launch the Cisco AnyConnect Secure Mobility Client and add the value of the terraform output IP address asa_external_outside_ip
  • CISCO AnyConnect window will pop up stating that the "Untrusted VPN Server Blocked!" this is normal in the because the SSL certificate is untrusted. Simply select Connect Anyway
  • Change the Setting by unchecking the box labeled Block connections to untrusted servers
  • Reconnect to the VPN via CISCO AnyConnect with the user admin/password

Enable APIs

A project with the following APIs enabled must be used to host the
resources of this module:

  • Compute Engine API: compute.googleapis.com
  • Secret Manager API: secretmanager.googleapis.com

Permissions

This module use the default service account to create ASAv instance, and create an admin account for admin user or for any automation tools who need access the ASAv.

The external SSH access to ASA management Public IP is protected by firewall rules. By default the firewall rule allow access only from the deployment workstation public IP, but you can override it with variable or hardcoded value if necessary.

Requirements

Name Version
terraform >=0.13.0
google >= 3.43, < 5.0

Providers

Name Version
google 4.53.1
http 3.2.1

Modules

Name Source Version
admin_password ./modules/secrets n/a
enable_password ./modules/secrets n/a

Resources

Name Type
google_compute_address.public_static_ip_mgmt resource
google_compute_address.public_static_ip_outside resource
google_compute_firewall.asav_deployment_tcp_https resource
google_compute_firewall.vpc_outside_ingress_allow_https resource
google_compute_instance.asav_vm resource
google_compute_default_service_account.default data source
google_compute_subnetwork.inside data source
google_compute_subnetwork.mgmt data source
google_compute_subnetwork.outside data source
http_http.workstation_public_ip data source

Inputs

Name Description Type Default Required
admin_password ASAv administrator password string null no
admin_username ASAv administrator username. Default is admin string "admin" no
disk_labels Labels to be assigned to boot disk, provided as a map map(string) {} no
disk_size_gb Boot disk size in GB string "10" no
disk_type Boot disk type string "pd-standard" no
enable_password The ASAv enable password string null no
gcp_private_supernet_cidr The GCP private internal supernet that should be accessible by the remote anyconnect VPN clients string "10.0.0.0/8" no
labels Key-value map of labels to assign to the ASAv instance map(string) {} no
machine_type Instance type for the ASAv instance string "n2-standard-4" no
name The hostname to assign to the Cisco ASAv string "ciscoasav-1" no
project_id The ID of the Project to which the resources belong string n/a yes
public_ip_whitelist_mgmt_access List of Public IP address to that need to manage ASAv instance. Default is your workstation public IP list(string) null no
public_static_ips The existing public static IPs to use on the ASAv mgmt and outside interfaces. By default this module create one if undefined.
object({
mgmt = string
outside = string
})
null no
region The region to construct the ASAv resources in string "us-central1" no
scopes n/a list(string)
[
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write"
]
no
service_account_email Email of Service Account for running instance. Default is to use google managed default service account string null no
smart_account_registration_token The Smart Account registration token ID to activate the license string "" no
source_image Image of the ASAv which is to be used in the project.
GCP public URL image for cisco asav https://www.googleapis.com/compute/v1/projects/cisco-public/global/images/cisco-asav-9-xy-z
For more details regarding available cisco asav versions in the GCP, please run the following command:
gcloud compute images list --filter="name ~ .*cisco-asav-.*" --project cisco-public
The module has been tested with the following ASA version, other versions may or may not work correctly.
Example: "cisco-asav-9-15-1-15"
"cisco-asav-9-16-1-28"
"cisco-asav-9-17-1"
"cisco-asav-9-18-1"
string "cisco-asav-9-19-1" no
ssh_key The SSH public key to use to login to the instance. The maximum keysize is 2048 bits
because ASA CLI will not allow more than 512 chars input on a single line.
Enter only the part without spaces e.g AAAAB3NzaC1yc2EAAAAD....
string "" no
subnetwork_names The name of the required subnetworks, The subnetworks must below to the VPC management, inside and outside.
object({
mgmt = string
inside = string
outside = string
})
null no
throughput_level The throughput level based on the instance size, the maximum supported vCPUs is 16 map(string)
{
"n2-standard-16": "10G",
"n2-standard-4": "1G",
"n2-standard-8": "2G"
}
no
vpc_project The Host Project name where the VPC are created. if not provide the module use to 'project_id string null no
vpn_pool_cidr The VPN Pool CIDR network to assign the remote anyconnect VPN clients string "10.100.0.0/24" no
vpn_pool_reserve_end_ip The number of IPs to be reserved from the end of VPN pool. Default is not to reserve anything from the end number -2 no
vpn_pool_reserve_start_ip The number of IPs to be reserved from the start of VPN pool. Default is not to reserve anything from start IP number 1 no
zone The zone to construct the ASAv resources in string "us-central1-a" no

Outputs

Name Description
admin_password ASAv administrator password
asa_external_mgmt_ip address value create for external mgmt access
asa_external_outside_ip address value create for external outside
hostname Host name of the ASAv
workstation_public_ip Public IP of the workstation where to run the module

References

View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Programming Languages

    HCL
  • License

    Apache License 2.0

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.