Friday, March 16, 2018

Running Cisco ASA 8.4 Qemu VM in GNS3 1.3

I needed to do some quick ASA labs but got an old version of GNS3 (1.3.13) running on my lab server. I've posted ASA 8.4 in an older GNS3 version a couple of years ago which needs a third party application to run it. I usually setup an ASA 5505 or 5510 for my lab but it's time consuming and wastes power if running over a long period of time. There's also a good Cisco ASA Firewall Best Practice guide available in Cisco's website.


To run ASA 8.4 Qemu in GNS3 go under Edit > Preferences > QEMU VMs > New.
 

There's already ASA 8.4(2) from the drop-down option under QEMU VM Type. Click Next.



Type a Name which makes sense to you > click Next.



Leave the default values under Qemu binary and RAM (1024 MB) > click Next.
 


Browse for the ASA 8.4 ISO files > choose Yes to copy the file to GNS3 default image directory > click Finish > OK.
 



Drag the ASA icon > right-click > Start.
 

Click Allow access on Windows firewall. Allow the Qemu .exe on other personal firewall installed.


Do a right-click again > click Console to launch the terminal emulation software (I'm using SecureCRT in this case).


I tried experimenting different versions of ASDM and Java but ASDM 6.4(5) and Java version 6 update 45 (32-bit) worked on my Windows 7 64-bit machine. You'll need to configure these ASA CLL commands to enable ASDM access:

asdm image disk0:/asdm-649.bin
username admin password cisco privilege 15
http server enable
http 192.168.1.0 255.255.255.0 inside



I've observed the ASA console hangs or freezes after enabling basic network services (AAA, NTP, etc.) and let it run for few minutes. You can sometimes get away with just reloading the ASA but other times the console connection gets refused. I tried increasing the ASA RAM from 1024 to 2048 MB but no luck. To resolve this problem, edit ASA Qemu settings under Edit > Preferences > Qemu > Qemu VMs > click ASA Qemu > Edit > Advanced settings:

Kernel command line:
no-hlt -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Options:
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32


If the ASA 8.4 still hangs and console getting a Connection Refused error, you'll need to re-install the ASA Qemu VM and do all over the steps again. You need to delete the ASA Kernel files in GNS3 Qemu folder, add ASA Qemu VM and edit again its settings.

The ASA 8.4 in GNS3 also has a license which unlocks advanced firewall features such as Active/Active Failover, Security Context and Botnet.

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 25 days 14 hours

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab21.c100, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab21.c101, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab21.c102, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab21.c103, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by admin at 04:19:17.632 UTC Fri Dec 8 2017
ciscoasa#
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)# activation-key ?

exec mode commands/options:
  <0x0-0xffffffff>  Enter four-or-five-tuple activation-key
  noconfirm         Do not prompt for confirmation
ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.

<IT TOOK ABOUT 15 MINS TO ACTIVATE LICENSE KEYS>


Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Failover is different.
   running permanent activation key: Restricted(R)
   new permanent activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm]        // HIT ENTER
The flash permanent activation key was updated with the requested key,
and will become active after the next reload.


ciscoasa(config)#  end
ciscoasa# write memory    // SAVE CONFIG
Building configuration...
Cryptochecksum: 13a199a9 64e8f92c 92cb376d 9d879f75

6958 bytes copied in 1.830 secs (6958 bytes/sec)
[OK]
ciscoasa# reload     // REBOOT ASA
Proceed with reload? [confirm]
ciscoasa#

***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system

***
*** --- SHUTDOWN NOW ---
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...


<OUTPUT TRUNCATED>


Verify the activation-key, it might take a while...
Validating activation key. This may take a few minutes...    // IT TOOK ABOUT 10 MINS
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 10             perpetual
Total UC Proxy Sessions           : 10             perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Enabled        perpetual

This platform has an ASA 5520 VPN Plus license.

Cisco Adaptive Security Appliance Software Version 8.4(2)
_le_open: fd:4, name:eth0
---Device eth0 (fd: 4) opened succesful!
_le_open: fd:8, name:eth1
---Device eth1 (fd: 8) opened succesful!
_le_open: fd:9, name:eth2
---Device eth2 (fd: 9) opened succesful!
_le_open: fd:10, name:eth3
---Device eth3 (fd: 10) opened succesful!

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************

Copyright (c) 1996-2011 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

Reading from flash...
!!.Device Manager image set, but unable to find disk0:/asdm-645.bin
*** Output from config line 117, "asdm image disk0:/asdm-6..."
..Crashinfo is NOT enabled on Full Distribution Environment
*** Output from config line 208, "crashinfo save disable"

Cryptochecksum (unchanged): 13a199a9 64e8f92c 92cb376d 9d879f75
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Type help or '?' for a list of available commands.

ciscoasa> show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 26 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 0000.ab21.c100, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab21.c101, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab21.c102, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab21.c103, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 10             perpetual
Total UC Proxy Sessions           : 10             perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Enabled        perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Configuration register is 0x0
Configuration has not been modified since last system restart.


These advanced features or options will now be available in ASDM after applying the license key.



No comments:

Post a Comment