Wednesday, July 24, 2013

Pre-8.3 and Post-8.3 ASA IOS in GNS3

These are the instructions to run IOS 8.0 and 8.4 concurrently in GNS3, which is essential in learning pre-8.3 and post-8.3 NAT CLI configuration and operation on an ASA.

I'll specifically show how to run a downgraded version (8.0) in GNS3 since it involves installing and tweaking a third party software. The setup for running 8.4 is pretty straight forward as long as we got the right files for the Qemu options (refer to screenshot).

In GNS3, go to Edit > Preferences > Qemu > ASA tab and select the correct Initrd (unzipped) and Kernel files to emulate the version you wanted. Click Save then OK.




Drag the ASA icon into the GNS3 topology workspace and you'll be prompted to choose which image to run. For this scenario, we choose asa802 that was previously setup.
Once the ASA boots up, it will run a small script. Just leave it open and running.


To complete the ASA's boot up process, type the commands below.


Configure the ASA with an IP address (LAN gateway), username/password and enable HTTPS/ASDM. We then use a TFTP server/PC to load the ASDM image.
ciscoasa# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  administratively down up
Ethernet0/1                unassigned      YES unset  administratively down up
Ethernet0/2                unassigned      YES unset  administratively down up
Ethernet0/3                unassigned      YES unset  administratively down up
Ethernet0/4                unassigned      YES unset  administratively down up
Ethernet0/5                unassigned      YES unset  administratively down up
ciscoasa(config)# interface ethernet0/0
ciscoasa(config-if)# ip add 192.168.1.1 255.255.255.0    //IP GATEWAY FOR CLOUD/PC
ciscoasa(config-if)# exit

ciscoasa(config)# username ciscoasa password cisco privilege 15    // MANDATORY CLI
ciscoasa(config)# http server enable    // ENABLE ASDM
ciscoasa(config)# http 192.168.1.0 255.255.255.0 inside
ciscoasa(config)# dir

Directory of disk0:/

6      drwx  4096        08:55:44 Jul 22 2013  .private

268136448 bytes total (242642944 bytes free)
ciscoasa(config)# end
ciscoasa# copy tftp://192.168.1.10/asdm-631.bin flash

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
14240396 bytes copied in 41.210 secs (347326 bytes/sec)
ciscoasa# dir

Directory of disk0:/

6      drwx  4096        08:55:44 Jul 22 2013  .private
9      -rwx  14240396    08:59:26 Jul 22 2013  asdm-631.bin

268136448 bytes total (228401152 bytes free)

Even though the ASA is properly setup and loaded with the right ASDM image, the GUI still wouldn't work and prompts an error message. We use an application called Fiddler that would intercept HTTPS traffic and act as a proxy for ASDM access.

 In Fiddler, go to Tools > Fiddler Options > HTTPS > Tick "Decrypt HTTPS traffic." Select Yes to Trust the Fiddler Root Certificate > Click OK.





  


Next, go to Rules > Customized Rules > then a Notepad is launched > Erase all existing rules (Select All then delete or hit Backspace) > Copy and paste this custom rule > Save and close Notepad.


The final portion would be to configure Java properties: under Control Panel > Java > Network Settings > Use proxy server > Address: localhost / Port: 8888. Also go to Advanced > Tick “Use same proxy server for all protocols” > Click OK.


Re-launch ASDM using the web browser (use IE). Click "Continue to this website (not recommended)" and click OK to accept the ASA self-signed certificate. Input your login info and ASDM should now be accessible.




I've configured the same setup on my ASA 5505 after TFTP'd the 8.0 IOS code and configured the boot variable commands.
ciscoasa(config)# show bootvar

BOOT variable = disk0:/asa831-k8.bin
Current BOOT variable = disk0:/asa831-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa(config)# no boot system flash:asa831-k8.bin
INFO: Converting flash:asa831-k8.bin to disk0:/asa831-k8.bin
ciscoasa(config)# boot system flash:asa802-k8.bin
INFO: Converting flash:asa802-k8.bin to disk0:/asa802-k8.bin
ciscoasa(config)# show bootvar

BOOT variable = disk0:/asa831-k8.bin
Current BOOT variable = disk0:/asa802-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable =
ciscoasa(config)# asdm image flash:asdm-631.bin
ciscoasa(config)# show asdm image
Device Manager image file, disk0:/asdm-631.bin
ciscoasa(config)# write memory
Building configuration...
Cryptochecksum: 386ab3ad 07a31f65 2fd32120 125dd48a

2910 bytes copied in 1.280 secs (2910 bytes/sec)
[OK]
ciscoasa(config)# reload noconfirm
ciscoasa(config)#


***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system



***
*** --- SHUTDOWN NOW ---
Process shutdown finished

<OUTPUT TRUNCATED>


ciscoasa> show version

Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.3(1)

Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "disk0:/asa802-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 17 secs

<OUTPUT TRUNCATED>

ciscoasa# configure terminal
ciscoasa(config)# nat-?

configure mode commands/options:
  nat-control
 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)