GNS3 has been a stable to my personal study. When I first achieved ROUTE on my way to CCNP I worked in a heavily switched environment. I had worked on routers and routing technologies about 5 percent of the time. It wasn’t enough to brush over the material and blitz the exam. I required a deep dive into the materials offered. I ended up using GNS3 and could create multi-area OSPF topologies, Giant EIGRP networks, and BGP with cheeky redistribution. This was only the beginning.
My current place of employment is about to have ASA’s come out of the nether regions. 5585-CX is the flavour of the day. As a part of all this I am being sent to a Cisco partner course covering FIREWALL topics. I guess this aligns with the CCNP Security FIREWALL curriculum. My ASA exposure is quite limited and I have to admit that I generally a fish out of water when it comes to hardcore security.
I have read around about people getting PIX firewalls working with GNS3 but PIX is old! ASA took over before I even got into networking. As the new CCNA Security is now adding ASA to the course (less rubbish, more content!) and CCNP Security requires ASA/IPS and ASDM. I couldn’t afford to buy ASA devices and or the required licensing. Luckily I gained access legally to licences and ASA IOS and ASDM.
I am an advocate of licensing and doing the right thing. DO NOT ask me for links to files or for a one off link. CCO login will more than let you know if you are eligible to be using the software detailed in this article. I could be breaking the rules as it is.
Let me first start this off by disclaiming that this post is not a “Welcome to GNS3”. I am expecting a level of knowledge already present and will NOT be covering basics in this post.
The version of GNS3 that this laptop is using 0.82-BETA2. I’ve not updated for a while but this is the version that works for me. Included in the All in One installer is QEMU. QEMU is the hero and emulator of the ASA software.
* If you do not have any of the required files along the way I suggest that you use the googles a little. You may find the files required.
Now – lets point GNS3 towards our ASA software. I am using 8.4.2 ASA code.
Note the picture above. The following settings are input into the fields.
- Name: ASA8.4 (can be anything)
- RAM: 1024MB
- NICs: 6
- NIC model: e1000
- Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
ASA SPECIFIC SETTINGS
- Initrd: Location of Initrd file
- Kernel: Location of Kernel (ASA) software
Probably the most important field is below. This exact string works for ASA code 8.4 and nothing prior.
- Kernel CMD: Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Wall of Fire
Now add that and close the window. Next step is to drag across an ASA into the topology. This is my topology I am using to create my virtual lab.
Now just hit console and you will get the ASA to start. It will load up and it can take a while the first time. Due to the requirements being high if your CPU spikes or RAM is maxed expect it to be a poor experience. My laptop rocks 16gb ram and a sandy bridge i7 so I do not have many issues.
Hardware requirements are of particular concern if you are using Virtual Machines such as Security Onion also. IF they are a concern then just worry about connecting your client up!
Licence to kill
As we all know ASA licensing is intense. Stupidity comes to mind. Want VLANs? We got a licence for that. Want fail over? Got a licence for that? 10GBE on 10GBE hardware? Yes, my word you need licence for that.
Well the same goes for our ASA we have running. It is now a fully functioning ASA – same rules apply. Though that being said I do use a legit ASA licence – I have sourced one for you floating around the internet. From what I have read the people who made all this work got this key working . Until I receive a take down notice – Here kiddies!
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Here I apply the key – note that the first time takes FOREVER and a day! Don’t worry just let it do it’s thing.
ciscoasa> ciscoasa> en Password: ciscoasa# conf t ciscoasa(config)# ***************************** NOTICE ***************************** Help to improve the ASA platform by enabling anonymous reporting, which allows Cisco to securely receive minimal error and health information from the device. To learn more about this feature, please visit: http://www.cisco.com/go/smartcall Would you like to enable anonymous error reporting to help improve the product? [Y]es, [N]o, [A]sk later: n In the future, if you would like to enable this feature, issue the command "call-home reporting anonymous". Please remember to save your configuration. ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0$ Validating activation key. This may take a few minutes... Failed to retrieve permanent activation key.
Now the important thing to note here is the following. Restarting the ASA. DO NOT RELOAD. You must not reload otherwise you will need to put in another key the next time you boot up. It takes 5 minutes so it can slow you down.
What I have found is that stopping/starting via right click in the GNS3 gui will help you here. It remembers its information.
copy running-config startup-config copy startup-config disk0
This is what allows configurations consistent through a restart.
Licensed features for this platform: Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 5 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 25 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 5000 perpetual Total VPN Peers : 0 perpetual Shared License : Enabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Enabled perpetual UC Phone Proxy Sessions : 10 perpetual Total UC Proxy Sessions : 10 perpetual Botnet Traffic Filter : Enabled perpetual Intercompany Media Engine : Enabled perpetual
Well. That is nice. VPNs, Failover, 3DES-AES, and contexts. Spoilt aren’t you! That’s it for provisioning an ASA in qemu. IF there is any files you are missing a light google will help you find what you are missing – allegedly. It took me about 90 minutes of research and not much longer putting it together.
Next up we bind GNS3 to our host machine, kick the console for SSH access from the host then TFTP ASDM onto our device! Phwoar. CCNA CCNP CCIE SECURITY LABS FOR EVERYBODY!
Update – Shout out to Routergods.net for the love. Check his ASA video out that aligns to this! http://www.youtube.com/watch?v=jAwPuw7G6u8&feature=g-all-u