05 Mar

ASAv on Amazon Web Services – login issues

Have you ever tried to run ASAv image on Amazon Web Services (AWS)? Yes, in Marketplace you will find supported image of this firewall (which is actually great thing because you can run it in BYOB model where you use unlicensed mode for testing the features. Same way as you can do on your ESXi.

Deployment is easy with the creator of EC2 instance, just few clicks and there it is. Except small problem – on latest release of 9.6.2.1 I was not able to connect to management interface via SSH. It should be possible by using key assigned to instance during creation but no matter what I’ve done it always asked for password.

There is small but nice workaround of this problem that also enables HTTPS access to ASAv. During the instance deployment we should put zero-day configuration that will be implemented on ASA. In documentation we even have proposal on such config which we further modify by adding HTTP/HTTPS access, additional user account, enable password and aaa local authentication.

The final zero-day configuration should look as below

interface management0/0
management-only
nameif management
security-level 100
ip address dhcp setroute
no shut
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
crypto key generate rsa modulus 2048
http server enable
http 0.0.0.0 0.0.0.0 management
ssh 0 0 management
ssh timeout 30
username admin nopassword privilege 15
username admin attributes
username cisco password cisco privilege 15
enable password cisco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
service-type admin 

This way we will be able to connect to ASAv instance via ssh/http using local accounts.

2 thoughts on “ASAv on Amazon Web Services – login issues

  1. Thank you so much for this. Banging my head against the wall all day trying to get ssh access and it asking for a password!!! Thanks again!!!

Leave a Reply

%d bloggers like this: