GNS3 has been a stable to my personal study. When I first achieved ROUTE on my way to CCNP I worked in a heavily switched environment. I had worked on routers and routing technologies about 5 percent of the time. It wasn’t enough to brush over the material and blitz the exam. I required a deep dive into the materials offered. I ended up using GNS3 and could create multi-area OSPF topologies, Giant EIGRP networks, and BGP with cheeky redistribution. This was only the beginning.
My current place of employment is about to have ASA’s come out of the nether regions. 5585-CX is the flavour of the day. As a part of all this I am being sent to a Cisco partner course covering FIREWALL topics. I guess this aligns with the CCNP Security FIREWALL curriculum. My ASA exposure is quite limited and I have to admit that I generally a fish out of water when it comes to hardcore security.
I have read around about people getting PIX firewalls working with GNS3 but PIX is old! ASA took over before I even got into networking. As the new CCNA Security is now adding ASA to the course (less rubbish, more content!) and CCNP Security requires ASA/IPS and ASDM. I couldn’t afford to buy ASA devices and or the required licensing. Luckily I gained access legally to licences and ASA IOS and ASDM.
I am an advocate of licensing and doing the right thing. DO NOT ask me for links to files or for a one off link. CCO login will more than let you know if you are eligible to be using the software detailed in this article. I could be breaking the rules as it is.
GNS3
Let me first start this off by disclaiming that this post is not a “Welcome to GNS3”. I am expecting a level of knowledge already present and will NOT be covering basics in this post.
The version of GNS3 that this laptop is using 0.82-BETA2. I’ve not updated for a while but this is the version that works for me. Included in the All in One installer is QEMU. QEMU is the hero and emulator of the ASA software.
ASA
* If you do not have any of the required files along the way I suggest that you use the googles a little. You may find the files required.
Now – lets point GNS3 towards our ASA software. I am using 8.4.2 ASA code.
- Edit
- Preference
- QEMU
- ASA
Note the picture above. The following settings are input into the fields.
ASA SETTINGS
- Name: ASA8.4 (can be anything)
- RAM: 1024MB
- NICs: 6
- NIC model: e1000
- Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
ASA SPECIFIC SETTINGS
- Initrd: Location of Initrd file
- Kernel: Location of Kernel (ASA) software
Probably the most important field is below. This exact string works for ASA code 8.4 and nothing prior.
- Kernel CMD: Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Wall of Fire
Now add that and close the window. Next step is to drag across an ASA into the topology. This is my topology I am using to create my virtual lab.
Now just hit console and you will get the ASA to start. It will load up and it can take a while the first time. Due to the requirements being high if your CPU spikes or RAM is maxed expect it to be a poor experience. My laptop rocks 16gb ram and a sandy bridge i7 so I do not have many issues.
Hardware requirements are of particular concern if you are using Virtual Machines such as Security Onion also. IF they are a concern then just worry about connecting your client up!
Licence to kill
As we all know ASA licensing is intense. Stupidity comes to mind. Want VLANs? We got a licence for that. Want fail over? Got a licence for that? 10GBE on 10GBE hardware? Yes, my word you need licence for that.
Well the same goes for our ASA we have running. It is now a fully functioning ASA – same rules apply. Though that being said I do use a legit ASA licence – I have sourced one for you floating around the internet. From what I have read the people who made all this work got this key working . Until I receive a take down notice – Here kiddies!
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Here I apply the key – note that the first time takes FOREVER and a day! Don’t worry just let it do it’s thing.
ciscoasa> ciscoasa> en Password: ciscoasa# conf t ciscoasa(config)# ***************************** NOTICE ***************************** Help to improve the ASA platform by enabling anonymous reporting, which allows Cisco to securely receive minimal error and health information from the device. To learn more about this feature, please visit: http://www.cisco.com/go/smartcall Would you like to enable anonymous error reporting to help improve the product? [Y]es, [N]o, [A]sk later: n In the future, if you would like to enable this feature, issue the command "call-home reporting anonymous". Please remember to save your configuration. ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0$ Validating activation key. This may take a few minutes... Failed to retrieve permanent activation key.
Now the important thing to note here is the following. Restarting the ASA. DO NOT RELOAD. You must not reload otherwise you will need to put in another key the next time you boot up. It takes 5 minutes so it can slow you down.
What I have found is that stopping/starting via right click in the GNS3 gui will help you here. It remembers its information.
copy running-config startup-config copy startup-config disk0
This is what allows configurations consistent through a restart.
Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 5 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 25 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 5000 perpetual Total VPN Peers : 0 perpetual Shared License : Enabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Enabled perpetual UC Phone Proxy Sessions : 10 perpetual Total UC Proxy Sessions : 10 perpetual Botnet Traffic Filter : Enabled perpetual Intercompany Media Engine : Enabled perpetual
Well. That is nice. VPNs, Failover, 3DES-AES, and contexts. Spoilt aren’t you! That’s it for provisioning an ASA in qemu. IF there is any files you are missing a light google will help you find what you are missing – allegedly. It took me about 90 minutes of research and not much longer putting it together.
Next up we bind GNS3 to our host machine, kick the console for SSH access from the host then TFTP ASDM onto our device! Phwoar. CCNA CCNP CCIE SECURITY LABS FOR EVERYBODY!
Update – Shout out to Routergods.net for the love. Check his ASA video out that aligns to this! http://www.youtube.com/watch?v=jAwPuw7G6u8&feature=g-all-u
Hi, thanks for the great post. Clarify please…
Kernel CMD: Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
or
Kernel CMD: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Thank you 🙂
in the “Kernel CMD Line” type:
-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Hi, I have followed the steps. However after I put in the key, and restart the ASA>>Stop and den start…It still says that license is limited. I meant failover is disabled. Please assist me
Hey Karan,
In global configuration mode I used the command as posted in the blog to apply the key.
I then issued a wr mem and copy start flash0: as a redundancy. I then proceeded to stop/start via the GNS3 console. That worked for me. Give it a go Karan.
Let me know how you get on.
Here is a problem that I have. I can connect an ASA in GNS3 to the Windows Loopback and, using static routes, ping to the ASA and from the ASA. BUT… If I want to connect that ASA to the Ethernet, and then to a switch…mirrored to another PC with the same configuration, I get nowhere. PS: disabling the PC firewall is a must in order to allow the PC to route ICMP packets, I found. Help!
use this command to write your config !!!
disk0:/.private/startup-config
thnak’s for the post
when I start the ASA it say qemu has stopped working
unable to save config in ASA, i entered the key, it got activated but after i close and re-open ASA…again I have to enter the key..m using windows 7 ultimate
Did you save your configuration to disk 0 and to the startup configuration? Only then will it work. You cannot restart the device either or issue reboot/shutdown.
hstock
I’m running gns3 in a win 7 64 but and I keep getting lina_bigphysarea_size: open /proc/bigphysarea failed, error 2
I’m doing every step right I can’t get ASA to load
I doesn’t work in windows 7, because I’m having the same problem and I decided to test in windows XP pro and boom! working perfect!
I had the same problem, and I uninstalled then reinstalled to C:GNS3 rather than Program Files. It worked after that.
I am not able to load this asa in my windows machine at all..I start the device a popup windows appears, then that’s it. I open console and it just hangs never presenting a prompt. Windows 7 64bit is my pc. Any suggestions?
Check your string settings as posted in the blog. I had that issue.
I had problem with the “…..Error 2” for days, I was keep changing stuff and it did not work, I found a simple solution that worked for me I hope it works for you all to. It was a fair simple solution.
1. Disable AV (Anti Virus)
2. Re-install the GNS3
3. Place all ASA stuff in ‘C:GNS3’
4. Make all the setting changes you will
5. DO NOT RUN THE ASA at this stage
6. Close the program and reopen it (It seems the settings would not take effect if you do not reopen the GNS3)
7. Then it works
The problem I was facing was, I was changing the setting but, did not close and open GNS3
Hope it was a help.
I tried to ping from my asa to the Loopback. and and it is not getting ping .. the output was ????? like ths .. so that i have to do
Hi friend, how to Restarting the ASA? Please help me
Thanks for all!
Regards
Rapici
Hi Ramon,
You need to save your configuration. After doing this, in GNS3, right click on the ASA, and select Stop. Then Start the ASA once more.
You cannot perform a restart otherwise it will wipe the licence file.
Regards,
Anthony
Hi Anthony Burke, all right and very good job!! It’s work!!
Regards from Spain
Ramon
Hi Anthony did u find the activation key for the failover license???
Great Blog. Recently moved to Mac from Ubuntu (Fedora before that) and have moved almost 95% of my “stuff” over. I was wondering if you know of IPS 7.1 running on GNS3? Thanks
guys i’m getting this error,i can get some help on this matter
“lina_bigphysarea_size: open /proc/bigphysarea failed, error 2”
thanks
Get high qualities training in networking course from networkexper.co. This is certified to Cisco organization and providing excellent training in networking courses in India.
http://networkexpert.co/
Wow!!!!!!!!! Very nice inspirational post..
Hi, I have already setup the ASA and used ur method to install the license. I am trying to use SSL Clientless VPN on this ASA but its not working even after all the configurations. When I enter the SSL Portal address on the client machine; browser gives message that webpage not found where as I am able to ping from the client machine to ASA OUTISIDE Interface IP. Can anyone help me with that ?
Have you seen it were the ASA wont bring up any interfaces?
Starting Likewise Service Manager
Processor memory 654311424, Reserved memory: 62914560
IMAGE ERROR: An error occurred when reading the controller type
Ignoring PCI device in slot:0 (ven:0x8086 dev:0x1237 rev:0x02)
Ignoring PCI device in slot:0 (ven:0x8086 dev:0x7000 rev:0x00)
Ignoring PCI device in slot:0 (ven:0x8086 dev:0x7010 rev:0x00)
Ignoring PCI device in slot:0 (ven:0x8086 dev:0x7113 rev:0x03)
Driver not found for vid = 0x8086 did = 0x100e
Driver not found for vid = 0x8086 did = 0x100e
Driver not found for vid = 0x8086 did = 0x100e
Driver not found for vid = 0x8086 did = 0x100e
Driver not found for vid = 0x8086 did = 0x100e
Driver not found for vid = 0x8086 did = 0x100e
Ignoring PCI device in slot:6 (ven:0x1af4 dev:0x1002 rev:0x00)
My ASA is stopping here, not booting up. Using GNS3 1.1
Unpacking initramfs…Clocksource tsc unstable (delta = 322185892 ns)
Potentially a change to the architecture of GNS3 in v1.1 that could cause this issue.
In GNS3 1.3.7 My ASA is not booting and stops here
Unpacking initramfs…(0) Kernel panic – not sysncing : bad gzip magic numbers
Dear All,
I am unable to copy ASDM file from tftp server to GNS3 1.3.9 even tried all following possibilities:
1. Configured loopback address.
2. Configured virtual machine and integrated with Gns 3 but unable to copy file to gns3
3. Copied all inspection rule from internet and copied in ASA and enabled and allowed host using access list but not able to copy ASDSM file.
Please anyone can help me out to get this sorted out because I am extremely excited to work on ASA along with various lab for my certifications.
Hi I have all working setup of ASA with ASDM working in GNS3.
Anyone need help can ping me [email protected]
configuration of ASA on gns3 1.3.11 is a little different and tricky… in new version of gns3 there is not direct tab/link in preferences for configuration of ASA, you can find it under the Qemu tab.