The Diary of a Networker: Emulating Cisco ASA 8.4.2 on GNS3 [ Included GNS3 1.3

Sunday, 16 February 2014

Emulating Cisco ASA 8.4.2 on GNS3 [ Included GNS3 1.3 - Updated on 07/04/2015]

This post will take you through a step-by-step guide to emulate Cisco ASA 8.4.2 on GNS3. In GNS3 QEMU is an emulator which emulates the hardware environment for a Cisco ASA device. Please make sure that your computer have got at least 4GB of RAM before you begin.

The below steps are pretty simple and straight forward. So let's begin.

Edit on 28/10/2014: On the latest version of GNS3 i.e GNS3 1.0, adding ASA from Qemu is a little different. Just follow the steps mentioned under the topic 'In GNS3 1.0' below.

1.) Download and install GNS3. You can get the software from http://www.gns3.com . You may need to register/login to get the software.

2.) Get a copy of ASA 8.4.2 code. You can get it from your live ASA device by copying the image to a TFTP server.

3.) Unpack the image and you will get two files, asa842-initrd.gz and asa842-vmlinuz.

[For GNS3 1.0 (latest) follow the steps under the topic 'In GNS3 1.0']

4.) Now Open GNS3 and go to Edit -> Preferences -> Qemu -> ASA.

5.) Configure the 'ASA Settings' and 'ASA Specific Settings' like below:

Identifier name: Cisco-ASA

RAM : 1024 MiB

Number of NICs : 6

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Initrd: Browse and select the 'asa842-initrd.gz' file from the unpack process

Kernel: Browse and select the 'asa842-vmlinuz' file from the unpack process

Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Finally click Save and click OK. Also refer the below screenshot for more info regarding the above configuration.

Now drag and drop ASA Firewall to the project area and start configuring your ASA device!

In GNS3 1.0 [Edit on 28/10/2014]

Follow up to step 4 above.

1.) Expand QEMU > QEMU VMs

2.) Click New and type a name of your ASA device

3.) Select the type as ASA 8.4(2) and click Next

4.) Leave the Qemu binary and RAM as it is and click Next

5.) Now browse the initrd and Kernal image which you have extracted before and click Finish

That's it! You are done with ASA configuration in GNS3. No need to give Qemu Options or Kernel cmd line, everything is already set in GNS3. Below you can find a screenshot of the configuration.

Now go to your GNS3 > Security devices and drag your ASA to work-space, enjoy!

Add ASDM and connect your ASA

You can connect ASA from the computer from which you are running GNS3. Follow the steps below to do this:

1.) Add a Microsoft Loop-back to your computer (refer http://www.groovypost.com/howto/install-loopback-adapter-windows-8-server-2012/) and provide an IP address as below (use any IP) :

2.) Drag and drop 'Cloud' to the GNS3 work-space and connect it with an Ethernet Switch. Refer below screenshot :

3.) Configure 'Cloud' and add the Loop-back adapter which you have added instep 1 as mentioned in below figure:

4.) Take a console session to your ASA from GNS3 and configure one of its interface like below:

interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0

5.) Now try to ping your computer's Loopback IP from ASA and vice-verse (Make sure that you disable firewall/antivirus etc on your local PC which is installed with GNS3.)

6.) Download ASDM ( asdm-649.bin)

7.) Install a TFTP server in your local PC and keep the above file in its root directory.

8.) Now upload the asdm-649.bin to the ASAs' flash using the below commands: (If the upload fails , then try disabling any other network adapter other than the Loop-back adapter temporarily and try)

ciscoasa# copy tftp: flash:
Address or name of remote host? 192.168.1.100
Source filename? asdm-649.bin
Destination filename [asdm-649.bin]?

Accessing tftp://192.168.1.100/asdm-649.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
18927088 bytes copied in 143.10 secs (132357 bytes/sec)

9.) Initiate the below commands to load ASDM on the ASA and enable http server:

ciscoasa(config)# asdm image flash:asdm-649.bin
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.10 255.255.255.0 inside
ciscoasa(config)# username admin password 1234 privilege 15

ciscoasa(config)# write memory

10.) Now get to your local PC, open a browser and type https://192.168.1.10 and you will get a page open like below:

11.) Click on 'Run ASDM' and enter with the username and password which you have created on step 9. You will be presented with the ASA dashboard.

I hope this helps. You can expect ASA configuration examples and tech notes soon in my blog.

18 comments:

ASLAM17 February 2014 at 14:41
Nice work Yadhu......
ReplyDelete
Replies
Runner Ken28 March 2014 at 14:22
hi Yadhu,
Have you tried create any test labs? I run into problem when I create subinterface (ip 192.168.118.11/24) on ASA and I could not ping to the router (R2 ip 192.168.118.100)) which is directly connect to ASA. Did I miss out any thing?

ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description Outside
nameif Outside
security-level 0
ip address 200.0.111.11 255.255.255.0
!
interface GigabitEthernet1
no nameif
no security-level
no ip address
!
interface GigabitEthernet1.118
description link to Inside
vlan 118
nameif Inside
security-level 100
ip address 192.168.118.11 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
nameif MGMT
security-level 0
ip address 192.168.0.254 255.255.255.0
!
ftp mode passive
pager lines 24
logging console debugging
mtu Outside 1500
mtu Inside 1500
mtu MGMT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:11f6260077a88d992dcdcd9d700e3edf
: end

--------------------------------------------------------------------------------------------------------------------------------------------------
R2#sh run
Building configuration...

Current configuration : 776 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
interface FastEthernet0/0
ip address 192.168.118.100 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip default-gateway 192.168.118.11
no ip http server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R2#
ReplyDelete
Replies
sixmill24 April 2014 at 00:34
Runner Ken,

I believe you need to create a subinterface on the router for the 118 vlan. Otherwise you've got tagged packets coming from the ASA to the router, and the router is not tagging them on the return traffic.
ReplyDelete
Replies
Love Sharing Info28 June 2015 at 16:06
There is no Flash in my ASA. it says 0. How can i add Flash in my GNS3
ReplyDelete
Replies
Unknown2 August 2015 at 01:15
Hello, i just upgraded from win 8.1 to win 10. The asa i have was working fine on win 8.1. Im using gns v 1.3.7. Now on win 10 when i start gns3 and start the topology with the asa i get an error saying " QEMU has stopped working " Please help, what do i do?
ReplyDelete
Replies
jagajeevan20 January 2016 at 17:00
Thank you... :)
ReplyDelete
Replies
H4nz021 June 2016 at 21:56
pass for the ASA?
ReplyDelete
Replies
Unknown23 August 2016 at 00:35
Unable to find loopback in cloud, please help
ReplyDelete
Replies
Unknown27 September 2016 at 08:00
Thank You Thank You it's works like a charm, God Bless U Brother!!!
The only thing i need to change was the ip address in the http server i'm used the subnet because declaring the ip of the ASA give me an error.
ReplyDelete
Replies
Silent Girl19 January 2021 at 14:09
I always spent my half an hour to read this blog’s content every day along with a cup of coffee. MorphVox Pro Crack 2021
ReplyDelete
Replies
Anonymous25 September 2021 at 15:38
To protect this kind of file we can resort to certain sorts of applications like vstcrack.

ReplyDelete
Replies
cyber pc11 February 2022 at 09:25
It provides the whole defense alongside virus impure records and stops virus from interrupt the scheme presentation. Express VPN Crack For Windows 10
ReplyDelete
Replies
newcrackkey18 March 2022 at 01:17
what to consider is that this program gives you some assistance in addressing a wide range of PC or HDD issues. Never face glitches like screen freezing, equipment disappointment, crashes, and other comparative issues when a programmed support framework is with you. Niubi Partition Editor 7.6.7 Crack 2022
ReplyDelete
Replies
Unknown30 March 2022 at 18:43
The Diary Of A Networker: Emulating Cisco Asa 8.4.2 On Gns3 [ Included Gns3 1.3 - Updated On 07/04/2015] >>>>> Download Now

>>>>> Download Full

The Diary Of A Networker: Emulating Cisco Asa 8.4.2 On Gns3 [ Included Gns3 1.3 - Updated On 07/04/2015] >>>>> Download LINK

>>>>> Download Now

The Diary Of A Networker: Emulating Cisco Asa 8.4.2 On Gns3 [ Included Gns3 1.3 - Updated On 07/04/2015] >>>>> Download Full

>>>>> Download LINK
ReplyDelete
Replies

Add comment