Sunday, 16 February 2014

Emulating Cisco ASA 8.4.2 on GNS3 [ Included GNS3 1.3 - Updated on 07/04/2015]

This post will take you through a step-by-step guide to emulate Cisco ASA 8.4.2 on GNS3. In GNS3 QEMU is an emulator which emulates the hardware environment for a Cisco ASA device. Please make sure that your computer have got at least 4GB of RAM before you begin.

The below steps are pretty simple and straight forward. So let's begin.

Edit on 28/10/2014: On the latest version of GNS3 i.e   GNS3 1.0, adding ASA from Qemu is a little different. Just follow the steps mentioned under the topic 'In GNS3 1.0' below.

1.) Download and install GNS3. You can get the software from http://www.gns3.com . You may need to register/login to get the software.

2.) Get a copy of ASA 8.4.2 code. You can get it from your live ASA device by copying the image to a TFTP server. [ or download from https://drive.google.com/folderview?id=0BxGGwKJEWVB0dzd5aFMzTjRNcDg&usp=sharing ]

3.) Unpack the image and you will get two files, asa842-initrd.gz and asa842-vmlinuz.

[For GNS3 1.0 (latest) follow the steps under the topic 'In GNS3 1.0']

4.) Now Open GNS3 and go to Edit -> Preferences -> Qemu -> ASA.

5.) Configure the 'ASA Settings' and 'ASA Specific Settings' like below:

Identifier name: Cisco-ASA

RAM : 1024 MiB

Number of NICs : 6

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Initrd: Browse and select the 'asa842-initrd.gz' file from the unpack process

Kernel: Browse and select the 'asa842-vmlinuz' file from the unpack process

Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Finally click Save and click OK. Also refer the below screenshot for more info regarding the above configuration.



Now drag and drop ASA Firewall to the project area and start configuring your ASA device!



In GNS3 1.0 [Edit on 28/10/2014]

Follow up to step 4 above.

1.) Expand QEMU  > QEMU VMs

2.) Click New and type a name of your ASA device

3.) Select the type as ASA 8.4(2) and click Next

4.) Leave the Qemu binary and RAM as it is and click Next

5.) Now browse the initrd and Kernal image which you have extracted before and click Finish

That's it! You are done with ASA configuration in GNS3. No need to give Qemu Options or Kernel cmd line, everything is already set in GNS3. Below you can find a screenshot of the configuration.


Now go to your GNS3  > Security devices and drag your ASA to work-space, enjoy!



Add ASDM and connect your ASA

You can connect ASA from the computer from which you are running GNS3. Follow the steps below to do this:

1.) Add a Microsoft Loop-back to your computer (refer http://www.groovypost.com/howto/install-loopback-adapter-windows-8-server-2012/) and provide an IP address as below (use any IP) :


2.) Drag and drop 'Cloud' to the GNS3 work-space and connect it with an Ethernet Switch. Refer below screenshot :


3.) Configure 'Cloud' and add the Loop-back adapter which you have added instep 1 as mentioned in below figure:



4.) Take a console session to your ASA from GNS3 and configure one of its interface like below:

interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.10 255.255.255.0

5.) Now try to ping your computer's Loopback IP from ASA and vice-verse (Make sure that you disable firewall/antivirus etc on your local PC which is installed with GNS3.)

6.) Download ASDM ( asdm-649.bin) from https://drive.google.com/file/d/0BxGGwKJEWVB0amstM0VQVmRYNUk/view?usp=sharing

7.) Install a TFTP server in your local PC and keep the above file in its root directory.

8.) Now upload the asdm-649.bin to the ASAs' flash using the below commands: (If the upload fails , then try disabling any other network adapter other than the Loop-back adapter temporarily and try)

ciscoasa# copy tftp: flash:
Address or name of remote host? 192.168.1.100
Source filename? asdm-649.bin
Destination filename [asdm-649.bin]?

Accessing tftp://192.168.1.100/asdm-649.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
18927088 bytes copied in 143.10 secs (132357 bytes/sec)

9.) Initiate the below commands to load ASDM on the ASA and enable http server:

ciscoasa(config)# asdm image flash:asdm-649.bin
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.10 255.255.255.0 inside
ciscoasa(config)# username admin password 1234 privilege 15

ciscoasa(config)# write memory

10.) Now get to your local PC, open a browser and type https://192.168.1.10 and you will get a page open like below:


11.) Click on 'Run ASDM' and enter with the username and password which you have created on step 9. You will be presented with the ASA dashboard.



I hope this helps. You can expect ASA configuration examples and tech notes soon in my blog.

13 comments:

  1. Replies
    1. hola, use fragmentos de otros tutoriales mas el tuyo fuiste de mucha ayuda

      Delete
  2. hi Yadhu,
    Have you tried create any test labs? I run into problem when I create subinterface (ip 192.168.118.11/24) on ASA and I could not ping to the router (R2 ip 192.168.118.100)) which is directly connect to ASA. Did I miss out any thing?

    ciscoasa# sh run
    : Saved
    :
    ASA Version 8.4(2)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface GigabitEthernet0
    description Outside
    nameif Outside
    security-level 0
    ip address 200.0.111.11 255.255.255.0
    !
    interface GigabitEthernet1
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet1.118
    description link to Inside
    vlan 118
    nameif Inside
    security-level 100
    ip address 192.168.118.11 255.255.255.0
    !
    interface GigabitEthernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet5
    nameif MGMT
    security-level 0
    ip address 192.168.0.254 255.255.255.0
    !
    ftp mode passive
    pager lines 24
    logging console debugging
    mtu Outside 1500
    mtu Inside 1500
    mtu MGMT 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.0.0 255.255.255.0 MGMT
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username cisco password 3USUcOPFUiMCO4Jk encrypted
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect icmp
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    crashinfo save disable
    Cryptochecksum:11f6260077a88d992dcdcd9d700e3edf
    : end

    --------------------------------------------------------------------------------------------------------------------------------------------------
    R2#sh run
    Building configuration...

    Current configuration : 776 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    no ip icmp rate-limit unreachable
    !
    !
    ip cef
    no ip domain lookup
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    !
    !
    !
    interface FastEthernet0/0
    ip address 192.168.118.100 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    ip default-gateway 192.168.118.11
    no ip http server
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    login
    !
    !
    end

    R2#

    ReplyDelete
  3. Runner Ken,

    I believe you need to create a subinterface on the router for the 118 vlan. Otherwise you've got tagged packets coming from the ASA to the router, and the router is not tagging them on the return traffic.

    ReplyDelete
  4. There is no Flash in my ASA. it says 0. How can i add Flash in my GNS3

    ReplyDelete
  5. Hello, i just upgraded from win 8.1 to win 10. The asa i have was working fine on win 8.1. Im using gns v 1.3.7. Now on win 10 when i start gns3 and start the topology with the asa i get an error saying " QEMU has stopped working " Please help, what do i do?

    ReplyDelete
    Replies
    1. Hi,
      Could you try reinstalling QEMU and see if that helps? Faced the same issue long back in Win7 and a re-installation helped then.
      Cheers.

      Delete
  6. Replies
    1. It's not using a password. Just hit Enter!

      Delete
  7. Unable to find loopback in cloud, please help

    ReplyDelete
  8. Thank You Thank You it's works like a charm, God Bless U Brother!!!
    The only thing i need to change was the ip address in the http server i'm used the subnet because declaring the ip of the ASA give me an error.

    ReplyDelete
  9. Yeah It really worked. Thanks for sharing this.

    check out my articles Yabatech post-utme screening

    Unilag Post-Utme screening

    ReplyDelete