Monday, September 20, 2010

ASA emulation in GNS3

Normally You need to patch the ASA kernel in Linux to get it working properly, it's a real pain in the butt. If you don't use a patched kernel you cannot use the ASDM, and you will not be able to write to flash (which means no reloads). That said, I've done it previously and have got it working. I wrote up a guide for my co-workers, but you're welcome to try as well.

Here it is:
  1. Grab a copy of the patched files and store them locally, they’re here.
  2. Install GNS3 if you haven’t already. Open it and look under “Edit -> Preferences” then go in to the ‘Qemu’ tab.
  3. Set the ‘initrd’ and ‘kernel’ paths to the files you saved in step 1.
  4. Make sure these ASA settings under ‘Qemu options’ are set to the following:
    5. -hdachs 980,16,32 -vnc :1 auto console=ttyS0,9600 bigphysarea=16384ide1=noprobe Also, make sure your NIC type is set to “pcnet” 
  1. On the ‘General Settings’ tab, make sure you know where your working directory is.

  2. Drag an ASA on to the topology (this creates the working directories)
  3. Browse to the ASA working directory (you checked the location of that in step # 5).
  4. If your ASA is called ‘ASA1’ on the network topology, there will be an “ASA1” folder in the working directory.

  5. Create a FLASH hard drive image using qemu-img.exe
    6. H:\>c:
C:\>cd "Program Files"
C:\Program Files>cd GNS3
C:\Program Files\GNS3>qemu-img.exe create FLASH 256M
Formatting 'FLASH', fmt=raw size=268435456
C:\Program Files\GNS3>
  6. Browse to “C:\Program Files\GNS3” and find your FLASH file.

  7. Copy that file to your “ASA working directory”. If you have more than one ASA on the topology, you’ll need to put a separate ‘FLASH’ file in each directory.



  8. Go back to GNS3, start the ASA and Open the console.
  9. It will stick at a “#” prompt. Just type exit in here.

  10. You should then see
    11. 
          Cisco ASA with  Multiple Security Contexts
          ==============================================

This is your first boot, please wait about 2 minutes for 'disk0' creation
and then execute the following commands inside the Linux prompt:

# cd /mnt/disk0
# /mnt/disk0/lina_monitor

Please note to use the following command under ASA to save your configs:

ciscoasa(config)# boot config disk0:/.private/startup-config
ciscoasa(config)# copy running-config disk0:/.private/startup-config

To get webvpn working, execute the following commands:
 
 ciscoasa# mkdir disk0:/var
 ciscoasa# mkdir disk0:/var/log
 ciscoasa# mkdir disk0:/csco_config
 ciscoasa# mkdir disk0:/csco_config/97
 ciscoasa# mkdir disk0:/csco_config/97/webcontent

Please press Enter to activate this console.
  11. Press enter and you should be back at the “#” prompt.
  12. Enter the following commands:

    13. cd /mnt/disk0
/mnt/disk0/lina_monitor
  13. The ASA should continue to boot, then drop you to the exec mode shell.
    14. 
ciscoasa>
  14. Move to priviledged exec mode and show flash
    15. 
ciscoasa# show flash
--#--  --length--  -----date/time------  path
    6  4096        Jul 26 2010 19:30:14  .private
    7  0           Jul 26 2010 19:30:13  .private/mode.dat
    8  0           Jul 26 2010 19:30:14  .private/DATAFILE
262901760 bytes total (237408256 bytes free)
ciscoasa# show file system

File Systems:

     Size(b)     Free(b)      Type  Flags  Prefixes
* 262901760   237400064   disk      rw      disk0: flash:
           -           -  disk      rw      disk1:
           -           -  network   rw      tftp:
           -           -  opaque    rw      system:

NOTES

“write memory” doesn’t work unless you’re able to set it to save to slot0: (instead of disk0:)

ciscoasa# wr mem
Building configuration...
Cryptochecksum: 6e33e06b 255d8b92 90c27d70 9f5b4de4

%Error opening disk0:/.private/startup-config (No such file or directory)
Error executing command
[FAILED] 
 
'copy running-config flash:' works however:

ciscoasa# copy run flash:
Source filename [running-config]?

Destination filename [running-config]?
Cryptochecksum: 6e33e06b 255d8b92 90c27d70 9f5b4de4 
 
Maybe use this instead?
ciscoasa# boot config flash:/running-config 
 
ALSO NOTE: ASDM will not work unless you use Fiddler. There IS a work-around for this, but I have yet to bother patching the kernel to support it. For now, you’ll need to use Fiddler.

You can set up the GNS3 topology to route your network traffic through the emulated ASA (do this at home, not work). You should have two clouds for this, one bound to a loopback adapter to emulate your local area connection (inside), and the other cloud bound to your LAN adapter that faces your router (outside).

It should look something like this:


If you wanted; you could even hang a DMZ network off the side:


Also; ASA emulation is pretty slow, I had it running on my E8400 (dual-core 3.6ghz w/ 4GB of RAM) and was only able to manage around 200-250kB/sec throughput.

Obviously it’s even slower if you enable a lot of services (IPS/inspect rules .etc)… Don’t expect to be able to route all your traffic through it.

You should also know there is no such thing as a management (management 0/0) interface on an emulated ASA (only e0/0 – e0/5).
Finally; you can not use the “reload” command. You need to stop and start the ASA to reboot it. This is the case for router emulation as well.

Hope this helps.

Tutorial written September 2010 by Josh (HighFreak1c) for the cisco-networkers.blogspot.com blog.
All rights reserved, no reproduction allowed under any circumstance.
Posted by Josh

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)