3

I'm creating procedures to deploy a Cisco ASA and an ESXi machine to remote locations where no local tech contacts are available.

I think it may be a wise idea to connect the console cable from the ASA to the ESXi machine to assist in local & remote configuration.

Is this a good idea, and how should I use ESXi to interact with the console of a Cisco ASA?

makerofthings7
  • 8,911
  • 34
  • 121
  • 197
  • You're going to have a **LOT** of trouble pulling this off, with ESXi's poor support for external devices. Depending on the server, though, you might be able to pass the console connection through to a VM, and use one of the guest OSes to interact with the ASA. I had to do essentially that with switches, rather than ASAs, once upon a hellish time, not so long ago. – HopelessN00b Jun 25 '14 at 19:56
  • Pre-program the ASA devices before they're deployed. All you need is to set public IP information and allow remote and/or VPN access. I do hope you plan to use a real switch at these sites as well, instead of relying on the ASA as a switch. – ewwhite Jun 25 '14 at 19:57
  • 1
    @ewwhite works great until there's a minor misconfiguration and you have to either have the network device shipped back, or spend 8 hours trying to walk some minimum wage GED holder through troubleshooting and reconfiguring a network device. – HopelessN00b Jun 25 '14 at 20:00

2 Answers2

1

If you're trying to configure the ASA from the ESXi host (or a guest), how exactly do you propose to get into the ESXi host or guest? I'm assuming that the ASA is the gateway for the server. So if the ASA is down/not configured properly, you won't be getting into the server, either. The opener is in the box, sorry to say.

If your actual goal is to configure/troubleshoot the ASA remotely (and then you could open any necessary ports to the ESXi host of course), ship the ASA with a modem and get it hooked up to a phone line for async configuration. And yes, always do your best to send it preconfigured, but sometimes things break or are wrong.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • 1
    When I had to do this, the device was shipped configured for basic connectivity **only**, hooked up, and then had the remainder of the configuration applied through this kind of setup. When I'd occasionally mess something up and kill my ability to connect to the device I was configuring, I'd have them reboot the device, resetting the config to my last `write run`, and try again. Slow and painful, but it can be done. – HopelessN00b Jun 25 '14 at 20:05
  • Thanks for your intuition, and you're right. Also I want to use the ESXi box as a means to configure the device locally.. when the technician forgets a laptop, serial cable, uses a Macbook w/o a serial port, etc. Is it possible to use ESXi with a keyboard/monitor/mouse to console into an ASA and perform configuration tasks? – makerofthings7 Jun 25 '14 at 20:12
  • ESXi, no. It's not a general-purpose operating system. Using a COM-port passthrough to a guest, yes. But again, if you are logged into one of the VMs, you can probably just manage the ASA via in-band management tools since you're on the LAN side of it. If you can't get to the VM because the ASA is down, you can't do anything. Fully think out your access and dependencies before completing your design. – mfinni Jun 25 '14 at 20:41
  • If the technician forgets a serial cable, just have him/her move the one you have plugged in between the server and ASA. If they don't have a machine with a serial port, when you've hired them to config an ASA, fire them. – mfinni Jun 25 '14 at 20:42
0

The (only?) possible answer to this conundrum is: Get a USB->Serial adaptor, and pass it through to a guest VM, and use your terminal emulator on the VM.

If you end up "on site" and need to talk to the ASA, you can then just unplug the USB dongle and plug it into your laptop.

Whether this will actually be useful depends entirely on many variables that are difficult to second guess.

Phil
  • 1,222
  • 1
  • 7
  • 15