Asa > gns3

danc_101

Has anyone got an ASA working in GNS3 ?

Find more posts tagged with

Comments

ConstantlyLearning

I havn't but have you tried this? How to run ASA 8 firewall on GNS3 0.7.3 | GNS3 Vault

Looks promising.

instant000

danc_101 wrote: »

Has anyone got an ASA working in GNS3 ?

Yes.

ConstantlyLearning wrote: »

I havn't but have you tried this? How to run ASA 8 firewall on GNS3 0.7.3 | GNS3 Vault
Looks promising.

That works, try this video, might be a little easier:

‪GNS3 - How to configure GNS3 and Cisco ASA Firewall‬‏ - YouTube

Of course, I've only seen the 8.02 running. If somehow had instructions on how to get 8.4 running, I'd use that, LOL.

chrisone

danc_101 wrote: »

Has anyone got an ASA working in GNS3 ?

yep it works.

alan2308

instant000 wrote: »

Of course, I've only seen the 8.02 running. If somehow had instructions on how to get 8.4 running, I'd use that, LOL.

You and me both. Nobody has managed anything beyond 8.02.

instant000

alan2308 wrote: »

You and me both. Nobody has managed anything beyond 8.02.

No kidding.

I'm almost to the point of buying a couple ASA's, just to stock up my lab properly.

However, I just looked at the CCIE Security objectives, and the ASA on there was 8.x. It would seem if they really needed something higher than that, it'd specifically say so. (especially considering that 8.5 is already out for the FWSM)

Besides, the emulated pix 8.x is a lot easier to run. I got one running 8.0 pretty smooth in just a few minutes.

chrisone

Isnt the draw back to this ASA emulation , not being able to save configs?

instant000

chrisone wrote: »

Isnt the draw back to this ASA emulation , not being able to save configs?

I can save mine.

Let me show you some note's I've collected (from various places on the net, mind you).

=========================

How to get the ASA running
===========================

1. Cisco Network Resources > Free Tools
download: cisco asa 8 initrd.gz
download: cisco asa8 kernel
2. launch gns3 > edit > preferences > Qemu > ASA
initrd: specify the file you downloaded earlier
kernel: specify the other file you downloaded
make sure to give it a name
then, you can save, apply, and ok
3. in GNS3, bring the firewall over
start it
minimize the window that comes up
4. open the ASA console
wait for one minute (it is loading up)
5. after waiting one minute, enter this command:
cd /mnt/disk0
/mnt/disk0/lina_monitor

================================================================

Formatting the Flash (for when saving fails)
=======================

1. enter this command from enable mode:

format flash:

2. restart the ASA
in GNS3 right click on the ASA Icon – “stop”
give it a few seconds then select “start”

3. open your ASA console
f asked run the command
cd /mnt/disk0
/mnt/disk0/lina_monitor

4. now try dir again … note the 0 bytes has gone :O)

5. You can now save your configs !!

copy run disk0:/.private/startup-config

========================================================
Saving ASA Configuration
========================

copy /noconfirm running-config disk0:/.private/running-config
copy /noconfirm disk0:/.private/running-config disk0:/.private/startup-config
configure terminal
boot config disk0:/.private/startup-config
exit
==============================

The next thing I'm going to confirm steps for is making the interfaces pingable , and so far, I think the key is to separate them by switches, but I need to test this first.

Bl8ckr0uter

Hey what version of OS are you using? I can't get 8.4 to run. I have read of the no one can run 8.0 or newer.

EDIT: Nevermind. Have you found any draw backs from using an OS that old.

alan2308

instant000 wrote: »

However, I just looked at the CCIE Security objectives, and the ASA on there was 8.x. It would seem if they really needed something higher than that, it'd specifically say so. (especially considering that 8.5 is already out for the FWSM)

I saw that too, and I don't see any specific version listed for the CCNP Security exams so I have to assume it won't require a higher version than the CCIE Security requires. 8.0.2 should be fine for the foreseeable future. If not, the security lab at school has a stack of 5510's running 8.4 so I can always spend a few long nights there.

And thanks for the quick and dirty how to. I was also unable to save configs, so I'll run through that next time I fire up GNS3.

chrisone

Thanks for the info instant000 , seems like you cant run a suitable lab comfortable without constant nagging problems with the emulation lol

I have 5510's, 20's and 40's at work that i can play with. Plus i plan on buying a pair of 5505's for my studies, it only seems right if i plan on moving towards the CCIE Security track. 5505s are cheap these days

Bl8ckr0uter

chrisone wrote: »

Thanks for the info instant000 , seems like you cant run a suitable lab comfortable without constant nagging problems with the emulation lol

I have 5510's, 20's and 40's at work that i can play with. Plus i plan on buying a pair of 5505's for my studies, it only seems right if i plan on moving towards the CCIE Security track. 5505s are cheap these days

There is alot they can't do that seems like it would be covered in the objectives if I recall correctly. IPS being one of them.

instant000

Bl8ckr0uter wrote: »

There is alot they can't do that seems like it would be covered in the objectives if I recall correctly. IPS being one of them.

Look at this.

how much can we run CCIE Security labs in gns3 - IEOC - Internetwork Expert's Online Community

Then, see these links below.

CCIE SEC Virtual Racks

CCIE SEC Mini-Scenarios

http://ccie18473.net/dynamips4/ine-cciesec-vrack.v3.net

http://ccie18473.net/dynamips4/qemu-start-asa-ips.txt

Hope this helps!

alan2308

instant000 wrote: »

However, I just looked at the CCIE Security objectives, and the ASA on there was 8.x. It would seem if they really needed something higher than that, it'd specifically say so. (especially considering that 8.5 is already out for the FWSM)

Bad news on this. I was just looking at the exam objectives for the 642-617 FIREWALL v1.0 exam, and in the comments it says that FIREWALL and VPN are both based on 8.2. I still can't find anything official from Cisco though.

instant000

Well, botnet detection is an 8.2 feature

Cisco ASA Botnet Traffic Filter - Cisco Systems

There are several videos on it. Go over those, and you should be OK.

I think I'm going to make a study checklist, to make sure I'm hitting all the topics. I found several security design guides on their site, and my best hope is to try to read those, and hope that gets me by. If I somehow fail the exam due to the design section, then I'll try getting the official book.

It's basically an experiment for me, because I think I'll learn more thoroughly, if I don't have a book that tells me what's supposed to be on the test.