Virtual ASA Guide, not sure if someone already has this out there.

PhildoBagginsPhildoBaggins Member Posts: 276
I found this junk I had written for some ASA classes I hosted early this year or late last year. These maybe missing a few steps but it will get the job done. Its very handy and I constantly lab ASA items using this setup. I even firewall computers and vpn into myself to test client/ssl/anyconnect etc...


Phillip's ASA/ASDM Virtual GNS3 Setup Guide

Download these files, they will be required for the install. These two asa.zip files should contain different items so please rename one of them when you download.


asa.zip

http://www.gns3.net/download/

asa.zip




Step 1: Open device manager, select the network adapters category. Select action, then add legacy hardware. Choost microsoft, then MS Loopback Adapter.


Step 2: Reboot your pc if neccessary and set your loopback adapters IP address to 10.100.100.100 255.255.255.0


Step 3: Install TFTP Server


Step 4: Install GNS3 0.8.2-BETA2


Step 5: Create GNS folder for images and such


Step 6: Open GNS, go to Preferences and set your project directory and image directory


Step 7: Setup Qemu, Goto ASA


Identifier Name: ASA802

Initrd: asa802-k8.initrd.gz

Kernel: asa802-k8.kernel

Qemu Options: -hdachs 980,16,32 -vnc :1

Kernel Cmd Line: console=ttyS0,9600n8 bigphysarea=16384 auto nousb ide1=noprobe hda=980,16,32


Click Save, Apply, then OK


Identifier Name: ASA842

RAM: 1024 MB

Initrd: asa842-initrd.gz

Kernel: asa842-vmlinuz

Qemu Options: -m 1024 -icount auto -hdachs 980,16,32

Kernel Cmd Line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536


Click Save, Apply, then OK



Step 8: Drag an ASA over, select ASA802. Right Click the ASA and click start.


Step 9: Double click the ASA to open the console, it will take a minute to load. Press enter and drop in the following config.


modprobe e1000

ifconfig eth0 hw ether 00:00:AB:CD:10:10

ifconfig eth1 hw ether 00:00:AB:CD:10:11

ifconfig eth2 hw ether 00:00:AB:CD:10:12

ifconfig eth3 hw ether 00:00:AB:CD:10:13

ifconfig eth4 hw ether 00:00:AB:CD:10:14

ifconfig eth5 hw ether 00:00:AB:CD:10:15

ifconfig eth0 up

ifconfig eth1 up

ifconfig eth2 up

ifconfig eth3 up

ifconfig eth4 up

ifconfig eth5 up

cp /asa/bin/lina /mnt/disk0/lina

cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor

cd /mnt/disk0

/mnt/disk0/lina_monitor


Step 10: The ASA will begin to boot. from here you can setup your configuration. To save the ASA config use the following command:


copy run disk0:/.private/startup-config


Step 11: Drag over another ASA, this time select ASA842


Step 12: Start the ASA842, then double click the ASA


Step 13: The ASA842 may take a few minutes to boot, once its loaded you can utilize the following command to save configuration


wr me


Step 14: Click the stop button on GNS3 to stop the ASAs


Step 15: Drag over a "Cloud"


Step 16: Drag over an "Ethernet Switch"


Step 17: Double click the cloud, select C1, and select the NIO ethernet tab. Choose the MS Loopback adapter, Click Add, Apply, Ok.


Step 18: Use the Middle finger connector tool to connect the cloud and ASAs to the ethernet switch.


Step 19: Click the Start button in GNS3


Step 20: Drop the following commands into the ASA802 (COPY THE EMPTY SPACES)


en



conf t

int e0/0

ip add 10.100.100.2 255.255.255.0

no shut

nameif LAN

sec 100

exit

icmp permit any LAN

ping 10.100.100.100




Step 21: If the pings are successful, then start your TFTP server


Step 22: Run the following command in the ASA802 (press enter through the prompts)


copy tftp://10.100.100.100/asdm-602.bin flash




Step 23: Enter the following commands once ASDM has been written to flash


conf t

enable pass tech@dp

passwd tech@dp

username admin pass tech@dp priv 15

http server enable

aaa authentication http console LOCAL

http 0.0.0.0 0.0.0.0 LAN


Step 24: You can now browse to https://10.100.100.2 to login to ASDM (REMEMBER TO USE THE CUSTOM WR ME FOR ASA802)


Step 25: Start ASA842


Step 26: Double click the ASA842 to open the console, drop in the following config including the empty spaces



en



conf t

int g0

ip add 10.100.100.1 255.255.255.0

no shut

nameif LAN

sec 100

exit

icmp permit any LAN

ping 10.100.100.100


copy tftp://10.100.100.100/asdm-641.bin flash






enable pass tech@dp

passwd tech@dp

username admin pass tech@dp priv 15

http server enable

aaa authentication http console LOCAL

http 0.0.0.0 0.0.0.0 LAN



Step 27: You can now browse to https://10.100.100.1 to login to ASDM (REMEMBER TO USE THE REGULAR WR ME FOR ASA842)

Comments

  • ElvisGElvisG Member Posts: 167
    Thank you from the bottom of my heart!
  • KrekenKreken Member Posts: 284
    Thank you. This is a great post. I just have a couple of questions.

    1. It looks like you cannot run 8.2 and 8.4 at the same time. Is there a way around it? I get IRQ conflicts.

    2. I didn't look at 8.2 version yet but looking at 8.4 "sh ver" output license information leads me to believe this is 5510 without Security Plus license rather than 5520. Even though it says it is ASA 5520.

    Licensed features for this platform:
    Maximum Physical Interfaces : Unlimited perpetual
    Maximum VLANs : 100 perpetual
    Inside Hosts : Unlimited perpetual
    Failover : Disabled perpetual
    VPN-DES : Disabled perpetual
    VPN-3DES-AES : Disabled perpetual
    Security Contexts : 0 perpetual
    GTP/GPRS : Disabled perpetual
    AnyConnect Premium Peers : 5000 perpetual
    AnyConnect Essentials : Disabled perpetual
    Other VPN Peers : 5000 perpetual
    Total VPN Peers : 0 perpetual
    Shared License : Disabled perpetual
    AnyConnect for Mobile : Disabled perpetual
    AnyConnect for Cisco VPN Phone : Disabled perpetual
    Advanced Endpoint Assessment : Disabled perpetual
    UC Phone Proxy Sessions : 2 perpetual
    Total UC Proxy Sessions : 2 perpetual
    Botnet Traffic Filter : Disabled perpetual
    Intercompany Media Engine : Disabled perpetual

    This platform has an ASA 5520 VPN Plus license.

    Maximum VLANs : 100 perpetual
    5520 should have 150 max vlans.

    VPN-DES : Disabled perpetual
    VPN-3DES-AES : Disabled perpetual
    Only 5505 and 5510 require licenses to enable 3DES.

    Failover : Disabled perpetual
    Again, this is only for 5505 and 5510 disabled without a license.

    Edit: Found the solution to #2. You need to apply the following two activation codes to enable the features.
    activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
    activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
Sign In or Register to comment.