I needed to do some quick ASA labs but got an old version of
GNS3 (1.3.13) running on my lab server. I've posted ASA 8.4 in an older GNS3 version a couple of years ago which needs a third party application to run it. I usually setup an ASA 5505 or 5510 for my lab but it's time consuming and wastes power if running over a long period of time. There's also a good Cisco ASA Firewall Best Practice guide available in Cisco's website.
To run ASA 8.4 Qemu in GNS3 go under Edit > Preferences > QEMU VMs > New.
There's already ASA 8.4(2) from the drop-down option under QEMU VM Type. Click Next.
Click Allow access on Windows firewall. Allow the Qemu .exe on other personal firewall installed.
Do a right-click again > click Console to launch the terminal emulation software (I'm using SecureCRT in this case).
I tried experimenting different versions of ASDM and Java but ASDM 6.4(5) and Java version 6 update 45 (32-bit) worked on my Windows 7 64-bit machine. You'll need to configure these ASA CLL commands to enable ASDM access:
asdm image disk0:/asdm-649.bin
username admin password cisco privilege 15
http server enable
http 192.168.1.0 255.255.255.0 inside
I've observed the ASA console hangs or freezes after enabling basic network services (AAA, NTP, etc.) and let it run for few minutes. You can sometimes get away with just reloading the ASA but other times the console connection gets refused. I tried increasing the ASA RAM from 1024 to 2048 MB but no luck. To resolve this problem, edit ASA Qemu settings under Edit > Preferences > Qemu > Qemu VMs > click ASA Qemu > Edit > Advanced settings:
Kernel command line:
no-hlt -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Options:
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
If the ASA 8.4 still hangs and console getting a Connection Refused error, you'll need to re-install the ASA Qemu VM and do all over the steps again. You need to delete the ASA Kernel files in GNS3 Qemu folder, add ASA Qemu VM and edit again its settings.
The ASA 8.4 in GNS3 also has a license which unlocks advanced firewall features such as Active/Active Failover, Security Context and Botnet.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 25 days 14 hours
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab21.c100, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab21.c101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab21.c102, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab21.c103, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Disabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by admin at 04:19:17.632 UTC Fri Dec 8 2017
ciscoasa#
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)# activation-key ?
exec mode commands/options:
<0x0-0xffffffff> Enter four-or-five-tuple activation-key
noconfirm Do not prompt for confirmation
ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
<IT TOOK ABOUT 15 MINS TO ACTIVATE LICENSE KEYS>
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Failover is different.
running permanent activation key: Restricted(R)
new permanent activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm] // HIT ENTER
The flash permanent activation key was updated with the requested key,
and will become active after the next reload.
ciscoasa(config)# end
ciscoasa# write memory // SAVE CONFIG
Building configuration...
Cryptochecksum: 13a199a9 64e8f92c 92cb376d 9d879f75
6958 bytes copied in 1.830 secs (6958 bytes/sec)
[OK]
ciscoasa# reload // REBOOT ASA
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system
***
*** --- SHUTDOWN NOW ---
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
<OUTPUT TRUNCATED>
Verify the activation-key, it might take a while...
Validating activation key. This may take a few minutes... // IT TOOK ABOUT 10 MINS
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Cisco Adaptive Security Appliance Software Version 8.4(2)
_le_open: fd:4, name:eth0
---Device eth0 (fd: 4) opened succesful!
_le_open: fd:8, name:eth1
---Device eth1 (fd: 8) opened succesful!
_le_open: fd:9, name:eth2
---Device eth2 (fd: 9) opened succesful!
_le_open: fd:10, name:eth3
---Device eth3 (fd: 10) opened succesful!
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Copyright (c) 1996-2011 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!!.Device Manager image set, but unable to find disk0:/asdm-645.bin
*** Output from config line 117, "asdm image disk0:/asdm-6..."
..Crashinfo is NOT enabled on Full Distribution Environment
*** Output from config line 208, "crashinfo save disable"
Cryptochecksum (unchanged): 13a199a9 64e8f92c 92cb376d 9d879f75
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Type help or '?' for a list of available commands.
ciscoasa> show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 26 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab21.c100, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab21.c101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab21.c102, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab21.c103, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Configuration register is 0x0
Configuration has not been modified since last system restart.
These advanced features or options will now be available in ASDM after applying the license key.
To run ASA 8.4 Qemu in GNS3 go under Edit > Preferences > QEMU VMs > New.
There's already ASA 8.4(2) from the drop-down option under QEMU VM Type. Click Next.
Type a Name which makes sense to you > click Next.
Leave the default
values under Qemu binary and RAM (1024 MB) > click Next.
Browse for the ASA 8.4
ISO files > choose Yes to copy the file to GNS3 default image directory >
click Finish > OK.
Drag the ASA icon >
right-click > Start.
Click Allow access on Windows firewall. Allow the Qemu .exe on other personal firewall installed.
Do a right-click again > click Console to launch the terminal emulation software (I'm using SecureCRT in this case).
I tried experimenting different versions of ASDM and Java but ASDM 6.4(5) and Java version 6 update 45 (32-bit) worked on my Windows 7 64-bit machine. You'll need to configure these ASA CLL commands to enable ASDM access:
asdm image disk0:/asdm-649.bin
username admin password cisco privilege 15
http server enable
http 192.168.1.0 255.255.255.0 inside
I've observed the ASA console hangs or freezes after enabling basic network services (AAA, NTP, etc.) and let it run for few minutes. You can sometimes get away with just reloading the ASA but other times the console connection gets refused. I tried increasing the ASA RAM from 1024 to 2048 MB but no luck. To resolve this problem, edit ASA Qemu settings under Edit > Preferences > Qemu > Qemu VMs > click ASA Qemu > Edit > Advanced settings:
Kernel command line:
no-hlt -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Options:
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
If the ASA 8.4 still hangs and console getting a Connection Refused error, you'll need to re-install the ASA Qemu VM and do all over the steps again. You need to delete the ASA Kernel files in GNS3 Qemu folder, add ASA Qemu VM and edit again its settings.
The ASA 8.4 in GNS3 also has a license which unlocks advanced firewall features such as Active/Active Failover, Security Context and Botnet.
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 25 days 14 hours
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab21.c100, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab21.c101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab21.c102, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab21.c103, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Disabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by admin at 04:19:17.632 UTC Fri Dec 8 2017
ciscoasa#
ciscoasa#
ciscoasa# configure terminal
ciscoasa(config)# activation-key ?
exec mode commands/options:
<0x0-0xffffffff> Enter four-or-five-tuple activation-key
noconfirm Do not prompt for confirmation
ciscoasa(config)# activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
<IT TOOK ABOUT 15 MINS TO ACTIVATE LICENSE KEYS>
Validating activation key. This may take a few minutes...
Failed to retrieve permanent activation key.
Failover is different.
running permanent activation key: Restricted(R)
new permanent activation key: Unrestricted(UR)
WARNING: The running activation key was not updated with the requested key.
Proceed with update flash activation key? [confirm] // HIT ENTER
The flash permanent activation key was updated with the requested key,
and will become active after the next reload.
ciscoasa(config)# end
ciscoasa# write memory // SAVE CONFIG
Building configuration...
Cryptochecksum: 13a199a9 64e8f92c 92cb376d 9d879f75
6958 bytes copied in 1.830 secs (6958 bytes/sec)
[OK]
ciscoasa# reload // REBOOT ASA
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down webvpn
Shutting down File system
***
*** --- SHUTDOWN NOW ---
REBOOT: open message queue fail: No such file or directory/2
REBOOT: enforce reboot...
<OUTPUT TRUNCATED>
Verify the activation-key, it might take a while...
Validating activation key. This may take a few minutes... // IT TOOK ABOUT 10 MINS
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Cisco Adaptive Security Appliance Software Version 8.4(2)
_le_open: fd:4, name:eth0
---Device eth0 (fd: 4) opened succesful!
_le_open: fd:8, name:eth1
---Device eth1 (fd: 8) opened succesful!
_le_open: fd:9, name:eth2
---Device eth2 (fd: 9) opened succesful!
_le_open: fd:10, name:eth3
---Device eth3 (fd: 10) opened succesful!
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to export@cisco.com.
******************************* Warning *******************************
Copyright (c) 1996-2011 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Reading from flash...
!!.Device Manager image set, but unable to find disk0:/asdm-645.bin
*** Output from config line 117, "asdm image disk0:/asdm-6..."
..Crashinfo is NOT enabled on Full Distribution Environment
*** Output from config line 208, "crashinfo save disable"
Cryptochecksum (unchanged): 13a199a9 64e8f92c 92cb376d 9d879f75
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Type help or '?' for a list of available commands.
ciscoasa> show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa up 26 secs
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 0000.ab21.c100, irq 0
1: Ext: GigabitEthernet1 : address is 0000.ab21.c101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab21.c102, irq 0
3: Ext: GigabitEthernet3 : address is 0000.ab21.c103, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 25 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Enabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 10 perpetual
Total UC Proxy Sessions : 10 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Enabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Configuration register is 0x0
Configuration has not been modified since last system restart.
These advanced features or options will now be available in ASDM after applying the license key.
No comments:
Post a Comment