NAT Enhancements

NAT enhancements

There are a few little tricks to improve NAT performance. The first would be translation timeout. Translation timeout returns a translated address back to the pool. The default is 3:00 hours. If you have a smaller pool or find that PAT is being used too much you can adjust this timer. I personally like a smaller timer and depending on the application and/or load use 15 or 20 minute timers.

timeout xlate 1:00:00

The ASDM configuration window resides at Configuration > Firewall > Advanced > Global Timeouts. Modify the Translation Slot field.

The other feature is DNS rewriting. You are able to intercept and rewrite DNS requests that hit the ASA firewall. By default a DNS server may only know the public IP address of networkinferno.net but the DNS server has a private IP address. DNS rewrite will allow NAT translation of the IP address inside the DNS reply.

nat (dmz-dns,outside) source static DMZ-DNS-01 OUT-DNS-01 dns

The keyword dns at the end is what initiates the DNS rewrite feature.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules.

This is an extract of my upcoming ASA companion guide. 

DNS on the ASA

I hope you enjoy this extract from my upcoming ebook – Deploying Cisco ASA firewalls.


–DNS on ASA–

This section looks at the provision of DNS functions on the ASA. Whilst it cannot provide DNS AAA records it does provide forwarding functions.

DNS based name-to-IP-address mapping requires definition of a server group; this will then allow name-to-IP-address resolution. First we define which interface we want lookups performed on.

dns domain-lookup Inside

Next we create the DNS server group. I will name it CI-DNS and list my DNS servers in it.

dns server-group CI-DNS
 name-server 172.16.84.23
 name-server 172.16.62.23
 name-server 172.16.40.23
 name-server 8.8.8.8
 domain-name ciscoinferno.net

The final DNS server listed acts as a backup which is actually Google’s Public DNS. Also defined is the domain-name the actual ASA resides in.

hostname asa1
domain-name ciscoinferno.net

The FQDN of the ASA is now asa1.ciscoinferno.net. Provided the DNS servers are contactable, you can issue the ping command with a website url and you will see the resolution. It is possible to gain further insight with the debug dns resolver command.

The ASDM configuration window resides at Configuration > Device Management > DNS > DNS Client.

Inter vs Intra

There are 101 security levels on the ASA. This may not be enough and you might be required to use the same security level a few times. We know that higher security level interfaces can talk pass traffic to lower security interfaces by default but what if they are the same security level? By default this is not permitted. Even if you define access-lists to permit traffic it is still denied.

Inter-interface

Inter interface communication allows communications between different interfaces of the same security level.

ASDM

Navigate to Configuration > Device Setup > Interfaces

Select the check box entitled Enable traffic between two or more interfaces which are configured with the same security levels.

CLI

ciscoasa# conf t
ciscoasa(config)# same-security-traffic permit inter-interface

Intra-interface

Intra-interface permits flows of traffic that comes in on an interface and routed back out the same interface. By default this is denied by default. An example of this would be hair-pinning; Hub and Spoke VPN topologies utilize this methodology.

ASDM

Navigate to Configuration > Device Setup > Interfaces
Select the check box entitled Enable traffic between two or more hosts connected to the same interface.

CLI 

ciscoasa# conf t
ciscoasa(config)# same-security-traffic permit intra-interface

To disable either use the no form of the command.

Why must we go to area 0?

OSPF is something that still mystifies me. I know it is a vast and large protocol and I do hope I can dispel something today for you.

“Why do other areas need to connect to area 0?”

Picture a tree. Nice big tall trunk and it has many branches. Area 0 is the trunk of your network whilst other areas are in essence branches.

As we know every router in an area shares information about itself and the links it contains. This information is shared with all routers in an area. In turn, each router creates a link-state database. SPF is run on each router in the area and the “tree” is formed.

Simple multi-area OSPF

When areas become large and OSPF areas have a large link state database it is important to break networks into areas like the above. This allows control of the database and ensure efficient convergence. I like to apply areas based on site or geographic boundary where applicable or if I want to leverage distinct LSA’s from certain area types. This areas that connect to area 0 are our “branches”. By defining areas we can limit the SPF calculation to the devices in the area.

Each area is connected to the Area Border Router. ABR’s have an important role in maintaining separate link state databases. It uses type 3 LSAs to inform routers in adjacent areas that it knows how to reach prefixes in other connected areas. It is important to know that ABR’s act as the eyes and ears for routers in other areas. The ABR in the picture (R3) can see the routers R1/R2 in A0 and R4/R5 in A1 and acts as their eyes and ears. R1/R2 and R3/R4 do not know of each other directly.

Inter-area OSPF behaves like a distance vector protocol. Albeit OSPF is a link state protocol, the way OSPF handles inter-area traffic leaves it prone to routing loops. This is why OSPF must connect back to area 0 – to avoid routing loops. Now you can see why network designs that use OSPF all join back to area 0 and why it is important to ensure virtual links are used as band-aids only.

Remote Labbing – Lab long and prosper!

Certification requires a lot of lab time. I mean a lot. Hundreds of hours of thorough, insightful, and meaningful labbing. Let alone the time invested behind the CLI of a CCIE certification. There are two routes these days that most people go. Hiring rack time or building their own lab. I am going to discuss the latter today including reproducing my setup!

Physical vs Semi-physical

There are two types of physical labs we can create. IF you have access to ex production kit, you are very wealthy, or happen to get lucky on eBay then a full physical topology is great. Routers, Switches, FR devices. When looking into a vendor topology for the CCIE lab you quickly realize it could be quite expensive. In this economic climate it ends up being quite expensive.

http://www.ine.com/topology.htm

Albeit this is classed as a cheaper lab there are a lot of interfaces and expansion cards to get. The price does add up.

I have opted for a hybrid physical/virtual topology. What on Earth? GNS3 + 4 physical switches + a whole lotta NICs. Let us now together build our server.

Physical Checklist

I am lucky enough that my workplace has spare servers. Dell PowerEdge 710 is the flavor. It is highly over powered for what we plan to do.

  • 2 x Xeon QC 2.8ghz
  • 32 GB ram (It did have 96GB)
  • 500GB 15k SAS
  • 3 x Intel QUAD 1GB NIC
  • 1 x Onboard NIC (4x 1GB)

Overkill. What I am doing can be re-produced on i5, 8gb ram, 3-4 quad NIC, machines. GNS3Vault, Matthew Mengelm, and Mellowd have done it on the above or less.

  • 2 x 3560-X (48Port, PoE, 100/1000, 2 x 10GB card)
  • 2 x 3750-G

Install time.

I have installed Ubuntu 12.04 x64 onto this machine.  I chose the desktop version and I am a grasshopper. The server is accessible when I am at work but I wanted easy access if I broke something :)

Install dependencies of GNS3/Dynamips

 sudo apt-get update
 sudo apt-get install python
 sudo apt-get install qt4-dev-tools
 sudo apt-get install pyqt4-dev-tools

Install GNS3 to /opt directory.
( I choose to keep all directories lowercase for sanity reasons)

 cd /opt
 sudo wget http://downloads.sourceforge.net/project/gns-3/GNS3/0.8.2/GNS3-0.8.2-src.tar.bz2
 sudo tar -xjvf GNS3-0.8.2-src.tar.bz2
 sudo mv GNS3-0.8.2-src /opt/gns3
 sudo rm GNS3-0.8.2-src.tar.bz2

Creating subdirectories and adding Read Write permission to projects directory.

 cd /opt/gns3
 sudo mkdir dynamips
 sudo mkdir ios
 sudo mkdir project
 sudo mkdir tmp
 sudo chmod o+rw -R ./project

Time to install the Dynamips backend:

 cd dynamips
 sudo wget http://downloads.sourceforge.net/project/gns-3/Dynamips/0.2.8-RC3-community/dynamips-0.2.8-RC3-community-x86.bin
 sudo chmod +x ./dynamips-0.2.8-RC3-community-x86.bin

X11 Forwarding

Now – before we begin I want to set up remote access. I use this machine via the internet. So once port forwarding is set up I need to add and change some SSH settings. I want GNS3 GUI to be X11 fowarding so I can access and change a topology and create new ones. My dynamips training wheels aren’t great.

sudo nano /etc/ssh/ssh_config
Remove the # and change ForwardX11 yes

Write these changes.

Access via CLI.

After SSH’ing into your box you land at the command prompt. To launch a GUI based GNS3 from CLI use the following.

sudo python /opt/gns3/gns3.pyw

That will launch GNS3. If you want it to auto boot a file too do the following

sudo python /opt/gns3/gns3.pyw /opt/gns3/project/ine/inev5.net

GNS3 settings

Due to having a bucket load of RAM I do the following to allow myself faster run times. I set the working directory for Dynamips to be my RAM swap. Pewpew!

Edit > Preferences > Dynamips >

Working Directory for Dynamips:
 /run/shm

Now to set up the basics with GNS3/Dynamips.

Edit > Preferences > Dynamips >

Executable path to Dynamips:
 /opt/gns3/dynamips/dynamips-0.2.8-RC3-community-x86.bin
Project directory : /opt/gns3/project
 Image Directory :/opt/gns3/ios

Inside the ios folder I have the c3725-adventerprisek9-mz.124-15.T5 image.
My idle-pc value which selects when the CPU isn’t processing is 0x602649b4. This will change for your machine. Find a value when you calculuate it with a *.
I have also increased the RAM of my 3725 to 256MB.

Fully loaded and running my INEv5 topology uses 8 percent of ram. :)

Goal Topology

This is the topology I am building. Where a SW is cabled into a router as far as the device is concerned they are adjacent. In the case of SW3 -> BB3 the physical connection is SW3 fa0/24 –> eth1 <— GNS3 cloud bound to eth1 <—- BB3 fa0/0 Rinse and repeat this step and you will find that you easily have this topology  but also, IPExpert, Narbik, Cisco360 or any conceivable topology. Oh and you can have more than 4 switches!

INE v5

INEv5 Ethernet

INEv5 Serial

Presenting the final GNS3 topology

Lab lab baby!

As the little clouds show they reflect which port they connect too. I hope by providing the physical serial, ethernet, and GNS3 diagrams you will be able to reproduce this nicely.

Extras to make labbing easy.

Now let us be cheeky and make full use of our Switches. Telnet to Serial!
I have 4 console cables, 2 USB, 2 Serial to access my switches. I access my switches my “telnetting” the console cables.

Install Serial to Telnet

sudo apt-get install ser2net

Edit the config

sudo nano /etc/ser2net.conf

I change to the TTY lines being used for my config.

6000:telnet:0:/dev/ttyS1:9600 8DATABITS NONE 1STOPBIT banner
6001:telnet:0:/dev/ttyS2:9600 8DATABITS NONE 1STOPBIT banner
6002:telnet:0:/dev/ttyUSB1:9600 8DATABITS NONE 1STOPBIT banner
6003:telnet:0:/dev/ttyUSB2:9600 8DATABITS NONE 1STOPBIT banner

The syntax above is portnumber:protocol:timeout:device:baud. Pretty easy.

Now lets restart the service so the config file is reloaded.

sudo service ser2net restart

To access all of my devices at once, conviniently and securely I use Byobu Terminal emulation over SSH.

sudo apt-get install byobu
sudo byobu

F2 creates a new terminal. F3/F4 navigate across.

It make take a while to get through but now you have a pseudo console server! It will keep your history which is the best part so if you lab remotely you can resume exactly where you left off with the output of previous sessions.

Treats!

I have uploaded my topology to ubuntu pastebin. Feel free to copy and paste this into a .net file and use it yourself. This applies to my computer only so do change it if you have different settings, install locations. Remember to adjust the IDLE-PC to match yours as a .NET file overrides global defaults.

My thoughts

My labbing has increased tenfold. The ability to spin up varying networks with L2/L3 technologies working harmoniously together. CLI access is fantastic and having now quite a few templates to work on I have zero excuse. I believe the hours I spent putting this together has already yielded dividends.

** EDIT – You can easily add in a Firewall using QEMU and ASA 8.4. More delicious topics to get your pretty faces into.

Additional and Supplementary post

RIDs. Spare a thought for the non-configured.

The router-ID. (RID). Such a fundamental concept in so many regards. One of the more important parts of a routing protocol. I could almost argue that it is one of the easily forgotten things to configure. With routing protocols relying on their RID to keep a stable topology my mind drifted to planning and scoping addressing space.

Speaking with @networkjanitor today briefly we discussed this. His words are as always wise.

  • Divide up a /24 subnet.
  • Further divide these addresses into /32′s
  • Assign to a loopback interface.
  • Set OSPF network type as point-to-point.
  • Set passive-interface.

How do you ensure your topology is stable? Do you carve up a subnet and issue IP addresses to a loopback? Do you leave it up to chance and rely on your intimate knowledge of said network? Share your thoughts below about how you address RID’s to ensure a stable and easy to work with routing topology.

The importance of skinning cats

Once again the VLAN topic comes to the forefront but immediately I know this will apply to all aspects of the blueprint. The old adage goes something like “There are many ways to skin a cat”.

Lets take the example of creating a VLANs. How many ways can you do it? Well I know of three. I will give an example of each below to show my point.

First Method – VLAN Database

S1#vlan database
% Warning: It is recommended to configure VLAN from config mode,
 as VLAN database mode is being deprecated. Please consult user
 documentation for configuring VTP/VLAN in config mode.
S1(vlan)#vlan 100 name CCIE-vlan100
VLAN 100 added:
 Name: CCIE-vlan100

Note here that we have added a VLAN into the VLAN Database. Remember that you can only have VLANs that are in the standard range which consists of 1-1004. Note also that this method is being deprecated but at time of writing still relevant.

Second Method – Global Configuration

S1(config)#vlan 150
S1(config-vlan)#name CCIE-vlan150

This method is quite easy in comparison. This method is what has replaced directly interacting with vlan.dat via the VLAN database. This is the method that most students are taught when getting their CCNA studies under their belt.

Third Method – Interface creation

S1(config)#int fa0/10
S1(config-if)#switchport access vlan 200
% Access VLAN does not exist. Creating vlan 200

Note here that we have created a VLAN inadvertently by placing an interface into a VLAN which has not been defined. This creates the VLAN in the database. This only applies to standard range VLANs and does not work on all devices.

If you have read my previous article discussing the difference between standard and extended range VLANs you will have more clarity in regards to the following error.

S1(config-if)#switchport access vlan 3500
% Access VLAN does not exist. Creating vlan 3500
S1(config-if)#
00:08:28: %PM-2-VLAN_ADD: Failed to add VLAN 3500 - VTP error.

This error will rear its head due to the fact that the switch cannot write an extended VLAN to the vlan.dat database. The VTP mode which allows extended VLANs to be utilized and written to the running config is transparent mode. VTPv3 does alleviate issues posed here but at this current time is outside the bounds and scope of the CCIE blueprint.

This entry was designed not as a guide to skinning our feline kitties. It’s purpose is to understand that a task may require a different way of execution. I know for a fact restrictions on the CCIE exam make some simple tasks a little trickier. It even takes trickier tasks to the extreme.

By understanding different methods such as those listed above you may avoid some obstacles. If a task stated

  • VLANs 500,1000,2000 must be created. VLAN information must be added to the running configuration concurrently.

You would have to weigh up what method and mode best suits the requirements of the question.

Fundamental understanding of technologies and their applications are important. Playing at the CLI also will reveal what the cause and effect of each word you type. The CCIE awaits me and I best get back to study.

Starting my CCIE Written (prematurely?)

Today is a significant day. After much tossing and turning and discussions with my wife I have finally decided to start down the path of the CCIE Study. Those who follow my blog may know that I am not yet a CCNP ( I still have SWITCH to go) and that is fine. The reason I am waiting is financial. I am saving my pennies after a 0.9 percent miss on SWITCH back in may. I felt that continuing onwards will reinforce what I know and allow me to align study time to defined goals.

I am not taking this goal lightly. I understand the gravity of the task at hand. I have many good friends who are on the path, looking back on the path, and standing right beside me.

Join my adventures by subscribing to my blog or come chat over at #cciestudy on freenode.

IOS CLI Shortcuts!

Found this neat list of IOS Short cuts! Adding for future reference. Ctrl + K  is my favourite!

Ctrl + A - Beginning Line
Ctrl + B - Backward Character
Ctrl + C - Clear line
Ctrl + D - Delete Character to the Right
Ctrl + E - End Line
Ctrl + F - Forward Character
Ctrl + H - Backspace Character to the Left
Ctrl + I - Refresh Line and Goto End
Ctrl + J - Return
Ctrl + K - Delete everything on the Right of cursor
Ctrl + L - Refresh Line
Ctrl + M - Return
Ctrl + N - Next Command
Ctrl + P - Previous Command
Ctrl + R - Refresh Line
Ctrl + T - Flip Last 2 Characters
Ctrl + U - Clear Line and Put in Buffer
Ctrl + V - Allows A Control Character To Be Typed
Ctrl + W - Delete Word Backwards and Put in Buffer
Ctrl + X - Clear Line to the Left and Put in Buffer
Ctrl + Y - Paste Buffer Contents

How can you help get the MSCE out of the toilet?

 

2012 – A server odyssey

With Windows Server 2012 nearing launch the Microsoft Developer Network has released a great book on the features and offerings the new OS has built in. A quick glance gives options regarding blah blah cloud deployments, improved monitoring and more. With over 256 pages split to 5 chapters of Microsoft Server goodness I am sure there is something new in there for all Systems Administrators.

The new MSCE Server Infrastructure exams are on their way. This will help give you a leg up and get certified as soon as possible. With a lot of 03 boxes around and 08 (nonR2) many will find the path to server 2012 requiring a certified expert. Earn your stripes and get your teeth into some serious deployments/migrations.

Take Note – The quality of Microsoft exams don’t necessarily mean you are an Expert. That part is up to you. Notorious for being a grammar test more than technical it is important that labbing and proof of concept works are undertaken at home. Cisco used the saying ” It’s how they know you know” regarding their certification tracks. Simple : If you dump then they will know quickly that you are incapable and one of those people who bring the value of the cert down. If you lab hard, work hard and LEARN the technology then you will deliver. Oh and you might just help bring the standard of MSCE Certification out of the toilet!

Table of Contents

Chapter 1 The business need for Windows Server 2012  The rationale behind cloud computing Making the transition 
Technical requirements for successful cloud computing 
Four ways Windows Server 2012 delivers value for cloud computing Foundation for building your private cloud

Chapter 2 Foundation for building your private cloud  A complete virtualization platform 
Increase scalability and performance Business continuity for virtualized workloads

Chapter 3 Highly available, easy-to-manage multi-server platform
Continuous availability 
Cost efficiency 
Management efficiency 
 
Chapter 4 Deploy web applications on premises and in the cloud  Scalable and elastic web platform 
Support for open standards 
 
Chapter 5 Enabling the modern work style  Access virtually anywhere, from any device 
Full Windows experience 
Enhanced security and compliance

Link the PDF

Link to the Release Candidate

GNS3 and Cisco ASA 8.4 (Part 2)

Alright! Bam! Excited? I surely am. Cisco ASA on my laptop and I can lab anywhere!  Now lets establish more than console access via GNS3 and get SSH/HTTPS/ASDM running. The reason I am so pushy to get ASA on a device is because certification guides all show how to do a task both ways. Handy in my opinion. Plus it doesn’t hurt for study reasons!
Requirements

  • tftpd32 – TFTP application
  • Legal version of ASDM 8.4.2 – Pretty GUI for the ASA
  • Administrator Rights – Need to bridge your interfaces!

Setup GNS3 for a host

Before we go making SSH access we need to connect our device into GNS3. Simple enough but can be daunting for some. I currently use Windows 7 on my lab machine due to the speed of spinning up VMs and the easy of connecting them in. I have dabbled with taps in Linux and it hurts my face and wastes my labbing time.

To connect your host to GNS3 I made a bridge interface with a pre-existing VM interface and my Gig Ethernet interface of my laptop.

  1. Open up network connections
  2. Select Ethernet connection and VM Connection
  3. Right Click > Bridge Connection
  4. Assign an IP address to your device.

Think Smart and It’s simple!

Now that we have created this adapter and assigned this address ( other end is g0 on the ASA – 192.168.2.1 ) we can create a magical unicorn (cloud) link!

  1. Open up GNS3 – Drag a cloud next to your ASA and place an Ethernet Switch down too.
  2. Right click on the cloud and configure. Select the MAC address bridge and add that connection.
  3. Cable the cloud to the switch and then the switch to the ASA

Pick the right interface lest their be judgment most Righteous

 

Back to the ASA!

Now lets get some initial configuration on this ASA and get connectivity from our Windows machine! We are getting there people! Slow and steady wins the race.

Note: GNS3 lists interfaces as E0-5. The ASA sees them as G0-5.

Alright – Basic ASA configuration and required Interfaces

interface GigabitEthernet2
 nameif MANAGEMENT
 security-level 0
 ip address 192.168.2.1 255.255.255.0
username asa password xGIkoVq88G4kwjuv encrypted privilege 15

Now to make the SSH keys

domain name ciscoinferno.net
crypto key generate rsa
ssh 192.168.2.0 255.255.255.0 MANAGEMENT
aaa authentication ssh console LOCAL
ssh timeout 5

Voila! Subnet 192.168.2.0 from the Management interface has been allowed for SSH. Now to test a ping from the 192.168.2.2 host and then connect via SSH!

C:\Users\CiscoInferno>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=4ms TTL=255
Reply from 192.168.2.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.2.1:
 Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
 Minimum = 1ms, Maximum = 4ms, Average = 2ms

Looky Looky – SSH keys

and one day…. I got in

Now let’s TFTP the ASDM software from 192.168.2.2 onto the ASA at 192.168.2.1. Rather simple process. TFTD32 is installed onto the host at 192.168.2.2 and the file ASDM-641.bin is in the tftp root.

ASA1# copy tftp disk
Address or name of remote host []? 192.168.2.2
Source filename []? asdm-641.bin
Destination filename [disk]?
Accessing tftp://192.168.2.2/asdm-641.bin...!!!!!!  !!!!!!!
15841428 bytes copied in 41.550 secs (386376 bytes/sec)
ASA1#

Installed. Now we just enable the HTTPS web service and off we go. So close! Study can almost begin!
The commands to set up the HTTPS web server are not far away and very similar to the SSH syntax.  We first enable the service then allow what subnet on which interface to access it.

http server enable
http 192.168.2.0 255.255.255.0 MANAGEMENT
aaa authentication http console LOCAL

Let’s save this as a basic config.


copy run start
copy start disk
<span class="Apple-style-span" style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 13px; line-height: 19px; white-space: normal;"><span style="text-decoration: underline;">ASDM Access time</span></span>

Now we open up Internet Explorer (Chrome went funky chicken on me) and lets browse to https:\\192.168.2.1 and see what happens.

 

Here we go!

Now – let us login via ASDM and use the web gui! Click Run ASDM.  After some loading check out what will appear next!

Jobs done!

And with that we have working ASDM! Now go forth and spread the good work. Let me know how you have found this post and I will attempt to help those below who cannot get this working. Again I will not give out any software illegally. Happy Labbing!

Previous Post GNS3 and Cisco ASA 8.4 (Part 1)

GNS3 and Cisco ASA 8.4 (Part 1)

GNS3 has been a stable to my personal study. When I first achieved ROUTE on my way to CCNP I worked in a heavily switched environment. I had worked on routers and routing technologies about 5 percent of the time. It wasn’t enough to brush over the material and blitz the exam. I required a deep dive into the materials offered. I ended up using GNS3 and could create multi-area OSPF topologies, Giant EIGRP networks, and BGP with cheeky redistribution. This was only the beginning.

Imagine this inside your laptop and access anywhere?

My current place of employment is about to have ASA’s come out of the nether regions. 5585-CX is the flavour of the day. As a part of all this I am being sent to a Cisco partner course covering FIREWALL topics. I guess this aligns with the CCNP Security FIREWALL  curriculum. My ASA exposure is quite limited and I have to admit that I generally a fish out of water when it comes to hardcore security.

I have read around about people getting PIX firewalls working with GNS3 but PIX is old! ASA took over before I even got into networking. As the new CCNA Security is now adding ASA to the course (less rubbish, more content!) and CCNP Security requires ASA/IPS and ASDM. I couldn’t afford to buy ASA devices and or the required licensing. Luckily I gained access legally to licences and ASA IOS and ASDM.

I am an advocate of licensing and doing the right thing. DO NOT ask me for links to files or for a one off link. CCO login will more than let you know if you are eligible to be using the software detailed in this article. I could be breaking the rules as it is.

 

GNS3

Let me first start this off by disclaiming that this post is not a “Welcome to GNS3″. I am expecting a level of knowledge already present and will NOT be covering basics in this post.

The version of GNS3 that this laptop is using 0.82-BETA2. I’ve not updated for a while but this is the version that works for me. Included in the All in One installer is QEMU. QEMU is the hero and emulator of the ASA software.

ASA

* If you do not have any of the required files along the way I suggest that you use the googles a little. You may find the files required.

Now – lets point GNS3 towards our ASA software. I am using 8.4.2 ASA code.

  1. Edit
  2. Preference
  3. QEMU
  4. ASA

QEMU settings work for me. They may not for you.

Note the picture above. The following settings are input into the fields.

ASA SETTINGS

  • Name: ASA8.4 (can be anything)
  • RAM: 1024MB
  • NICs: 6
  • NIC model: e1000
  • Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

ASA SPECIFIC SETTINGS

  • Initrd: Location of Initrd file
  • Kernel: Location of Kernel (ASA) software

Probably the most important field is below. This exact string works for ASA code 8.4 and nothing prior.

  • Kernel CMD: Kernel cmd line: -append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Wall of Fire

Now add that and close the window. Next step is to drag across an ASA into the topology. This is my topology I am using to create my virtual lab.

My Security lab

Now just hit console and you will get the ASA to start. It will load up and it can take a while the first time. Due to the requirements being high if your CPU spikes or RAM is maxed expect it to be a poor experience. My laptop rocks 16gb ram and a sandy bridge i7 so I do not have many issues.

Hardware requirements are of particular concern if you are using Virtual Machines such as Security Onion also. IF they are a concern then just worry about connecting your client up!

Licence to kill

As we all know ASA licensing is intense. Stupidity comes to mind. Want VLANs? We got a licence for that. Want fail over? Got a licence for that? 10GBE on 10GBE hardware? Yes, my word you need licence for that.

Well the same goes for our ASA we have running. It is now a fully functioning ASA – same rules apply. Though that being said I do use a legit ASA licence – I have sourced one for you floating around the internet. From what I have read the people who made all this work got this key working . Until I receive a take down notice – Here kiddies!

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

Here I apply the key – note that the first time takes FOREVER and a day! Don’t worry just let it do it’s thing.

ciscoasa>
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)#
***************************** NOTICE *****************************
Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall
Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n
In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".
Please remember to save your configuration.
ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0$
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.

Now the important thing to note here is the following. Restarting the ASA. DO NOT RELOAD. You must not reload otherwise you will need to put in another key the next time you boot up. It takes 5 minutes so it can slow you down.

What I have found is that stopping/starting via right click in the GNS3 gui will help you here. It remembers its information.

copy running-config startup-config
copy startup-config disk0

This is what allows configurations consistent through a restart.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual

Well. That is nice. VPNs, Failover, 3DES-AES, and contexts. Spoilt aren’t you!  That’s it for provisioning an ASA in qemu. IF there is any files you are missing a light google will help you find what you are missing – allegedly. It took me about 90 minutes of research and not much longer putting it together.

Next up we bind GNS3 to our host machine, kick the console for SSH access from the host then TFTP ASDM onto our device! Phwoar. CCNA CCNP CCIE SECURITY LABS FOR EVERYBODY!

Update –  Shout out to Routergods.net for the love. Check his ASA video out that aligns to this! http://www.youtube.com/watch?v=jAwPuw7G6u8&feature=g-all-u

GNS3-and-Cisco-ASA-8-4-part-2