GNS3 and Cisco ASA 8.4 (Part 1)

GNS3 has been a stable to my personal study. When I first achieved ROUTE on my way to CCNP I worked in a heavily switched environment. I had worked on routers and routing technologies about 5 percent of the time. It wasn’t enough to brush over the material and blitz the exam. I required a deep dive into the materials offered. I ended up using GNS3 and could create multi-area OSPF topologies, Giant EIGRP networks, and BGP with cheeky redistribution. This was only the beginning.

Imagine this inside your laptop and access anywhere?

My current place of employment is about to have ASA’s come out of the nether regions. 5585-CX is the flavour of the day. As a part of all this I am being sent to a Cisco partner course covering FIREWALL topics. I guess this aligns with the CCNP Security FIREWALL  curriculum. My ASA exposure is quite limited and I have to admit that I generally a fish out of water when it comes to hardcore security.

I have read around about people getting PIX firewalls working with GNS3 but PIX is old! ASA took over before I even got into networking. As the new CCNA Security is now adding ASA to the course (less rubbish, more content!) and CCNP Security requires ASA/IPS and ASDM. I couldn’t afford to buy ASA devices and or the required licensing. Luckily I gained access legally to licences and ASA IOS and ASDM.

I am an advocate of licensing and doing the right thing. DO NOT ask me for links to files or for a one off link. CCO login will more than let you know if you are eligible to be using the software detailed in this article. I could be breaking the rules as it is.

 

GNS3

Let me first start this off by disclaiming that this post is not a “Welcome to GNS3″. I am expecting a level of knowledge already present and will NOT be covering basics in this post.

The version of GNS3 that this laptop is using 0.82-BETA2. I’ve not updated for a while but this is the version that works for me. Included in the All in One installer is QEMU. QEMU is the hero and emulator of the ASA software.

ASA

* If you do not have any of the required files along the way I suggest that you use the googles a little. You may find the files required.

Now – lets point GNS3 towards our ASA software. I am using 8.4.2 ASA code.

  1. Edit
  2. Preference
  3. QEMU
  4. ASA

QEMU settings work for me. They may not for you.

Note the picture above. The following settings are input into the fields.

ASA SETTINGS

  • Name: ASA8.4 (can be anything)
  • RAM: 1024MB
  • NICs: 6
  • NIC model: e1000
  • Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

ASA SPECIFIC SETTINGS

  • Initrd: Location of Initrd file
  • Kernel: Location of Kernel (ASA) software

Probably the most important field is below. This exact string works for ASA code 8.4 and nothing prior.

  • Kernel CMD: Kernel cmd line: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Wall of Fire

Now add that and close the window. Next step is to drag across an ASA into the topology. This is my topology I am using to create my virtual lab.

My Security lab

Now just hit console and you will get the ASA to start. It will load up and it can take a while the first time. Due to the requirements being high if your CPU spikes or RAM is maxed expect it to be a poor experience. My laptop rocks 16gb ram and a sandy bridge i7 so I do not have many issues.

Hardware requirements are of particular concern if you are using Virtual Machines such as Security Onion also. IF they are a concern then just worry about connecting your client up!

Licence to kill

As we all know ASA licensing is intense. Stupidity comes to mind. Want VLANs? We got a licence for that. Want fail over? Got a licence for that? 10GBE on 10GBE hardware? Yes, my word you need licence for that.

Well the same goes for our ASA we have running. It is now a fully functioning ASA – same rules apply. Though that being said I do use a legit ASA licence – I have sourced one for you floating around the internet. From what I have read the people who made all this work got this key working . Until I receive a take down notice – Here kiddies!

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

Here I apply the key – note that the first time takes FOREVER and a day! Don’t worry just let it do it’s thing.

ciscoasa>
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
Please remember to save your configuration.
ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0$
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.

Now the important thing to note here is the following. Restarting the ASA. DO NOT RELOAD. You must not reload otherwise you will need to put in another key the next time you boot up. It takes 5 minutes so it can slow you down.

What I have found is that stopping/starting via right click in the GNS3 gui will help you here. It remembers its information.

copy running-config startup-config
copy startup-config disk0

This is what allows configurations consistent through a restart.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual

Well. That is nice. VPNs, Failover, 3DES-AES, and contexts. Spoilt aren’t you!  That’s it for provisioning an ASA in qemu. IF there is any files you are missing a light google will help you find what you are missing – allegedly. It took me about 90 minutes of research and not much longer putting it together.

Next up we bind GNS3 to our host machine, kick the console for SSH access from the host then TFTP ASDM onto our device! Phwoar. CCNA CCNP CCIE SECURITY LABS FOR EVERYBODY!

Update –  Shout out to Routergods.net for the love. Check his ASA video out that aligns to this! http://www.youtube.com/watch?v=jAwPuw7G6u8&feature=g-all-u

GNS3-and-Cisco-ASA-8-4-part-2

Bookmark the permalink.
  • Pingback: GNS3 and Cisco ASA 8.4 (Part 2) « Cisco Inferno

  • Pingback: GNS3 and Cisco ASA 8.4 (Part 1) « Cisco Inferno | Best Firewall Protection

  • Pingback: LAB – NTP setup on ASA « Cisco Inferno

  • Chelrob

    Hi, thanks for the great post.  Clarify please…

    Kernel CMD: Kernel cmd line: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

    or

    Kernel CMD: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

    Thank you :)

    • Sikas

      in the “Kernel CMD Line” type:

      -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

  • http://www.facebook.com/karanarora192006 Karan Arora

    Hi, I have followed the steps. However after I put in the key, and restart the ASA>>Stop and den start…It still says that license is limited. I meant failover is disabled. Please assist me

    • http://blog.ciscoinferno.net/ Anthony Burke

      Hey Karan,

      In global configuration mode I used the command as posted in the blog to apply the key.
      I then issued a wr mem and copy start flash0: as a redundancy. I then proceeded to stop/start via the GNS3 console. That worked for me. Give it a go Karan.

      Let me know how you get on.

  • Pingback: Remote Labbing – Lab long and prosper! « Cisco Inferno

  • Ryan Milton

    Here is a problem that I have. I can connect an ASA in GNS3 to the Windows Loopback and, using static routes, ping to the ASA and from the ASA. BUT… If I want to connect that ASA to the Ethernet, and then to a switch…mirrored to another PC with the same configuration, I get nowhere. PS: disabling the PC firewall is a must in order to allow the PC to route ICMP packets, I found. Help!

  • izirider

    use this command to write your config !!!

    disk0:/.private/startup-config

    thnak’s for the post

  • keli

    when I start the ASA it say qemu has stopped working

  • shahed

    unable to save config in ASA, i entered the key, it got activated but after i close and re-open ASA…again I have to enter the key..m using windows 7 ultimate

    • http://blog.ciscoinferno.net/ Anthony Burke

      Did you save your configuration to disk 0 and to the startup configuration? Only then will it work. You cannot restart the device either or issue reboot/shutdown.

  • hstock

    hstock

  • hstock

    I’m running gns3 in a win 7 64 but and I keep getting lina_bigphysarea_size: open /proc/bigphysarea failed, error 2

    I’m doing every step right I can’t get ASA to load

    • hstock

      I doesn’t work in windows 7, because I’m having the same problem and I decided to test in windows XP pro and boom! working perfect!

      • s_f

        I had the same problem, and I uninstalled then reinstalled to C:GNS3 rather than Program Files. It worked after that.

  • Alan

    I am not able to load this asa in my windows machine at all..I start the device a popup windows appears, then that’s it. I open console and it just hangs never presenting a prompt. Windows 7 64bit is my pc. Any suggestions?

    • http://blog.ciscoinferno.net/ Anthony Burke

      Check your string settings as posted in the blog. I had that issue.

  • Primo

    I had problem with the “…..Error 2″ for days, I was keep changing stuff and it did not work, I found a simple solution that worked for me I hope it works for you all to. It was a fair simple solution.

    1. Disable AV (Anti Virus)

    2. Re-install the GNS3

    3. Place all ASA stuff in ‘C:GNS3′

    4. Make all the setting changes you will

    5. DO NOT RUN THE ASA at this stage

    6. Close the program and reopen it (It seems the settings would not take effect if you do not reopen the GNS3)

    7. Then it works

    The problem I was facing was, I was changing the setting but, did not close and open GNS3

    Hope it was a help.

  • vishnu

    I tried to ping from my asa to the Loopback. and and it is not getting ping .. the output was ????? like ths .. so that i have to do

  • Ramon Pinyol

    Hi friend, how to Restarting the ASA? Please help me

    Thanks for all!

    Regards
    Rapici

    • http://blog.ciscoinferno.net/ Anthony Burke

      Hi Ramon,

      You need to save your configuration. After doing this, in GNS3, right click on the ASA, and select Stop. Then Start the ASA once more.

      You cannot perform a restart otherwise it will wipe the licence file.

      Regards,

      Anthony

      • Ramon Pinyol

        Hi Anthony Burke, all right and very good job!! It’s work!!

        Regards from Spain
        Ramon

      • Sridhar

        Hi Anthony did u find the activation key for the failover license???

  • Manny Fernandez

    Great Blog. Recently moved to Mac from Ubuntu (Fedora before that) and have moved almost 95% of my “stuff” over. I was wondering if you know of IPS 7.1 running on GNS3? Thanks

  • James

    guys i’m getting this error,i can get some help on this matter
    “lina_bigphysarea_size: open /proc/bigphysarea failed, error 2″

    thanks

  • watson

    Get high qualities training in networking course from networkexper.co. This is certified to Cisco organization and providing excellent training in networking courses in India.
    http://networkexpert.co/

  • http://www.amcsquare.in/ Amc square learning

    Wow!!!!!!!!! Very nice inspirational post..