Would it be nice if you could console into a virtual ASA 5520 running ASA 8.4.2? You could setup NAT, site-to-site VPNs with virtual hosts and go crazy with firewall rules. The answer is yes, you can and I’m about to show you how I did it on my Mac OS X 10.10 host using GNS3.
Here’s what I did to get this working…
After downloading and installing GNS3 we need to get the ASA 5.2 image. You’ll have to manually unpack the ASA 5.2 image before you can use it. I won’t go into the details of that here but there are several websites that show you how to do that.
Getting the ASA 5.2 image files
GNS3: How to download Cisco IOS images and VIRL images. Which is best? How do you get them? Part 1 - Duration: 7:40. David Bombal 2,505 views.
The most reliable way to get the image is to login to the Cisco.com download center with valid SMARTnet entitlements and download the .bin file directly.
Alternatively, you can setup a TFTP server on your workstation, plug it into the switchport of a real ASA 5520 and type:
then type in the appropriate filename and enter the IP address of your TFTP server (your workstation IP). Do the same thing for the ASDM file. You can easily view the file names by typing dir at the console. Then you can power down your real physical ASA, unpack the the images and play with them inside your GNS3 sandbox.
Finally, the last option is to download the pre-unpacked ASA images and use them directly in GNS3. In no way am I condoning software piracy so make sure you have a valid SMARTnet contract with Cisco before you download it. You can find an unpacked version of ASA 8.4.2 on Mediafire.
Setting up the Quick Emulator (Qemu)
Before we can run the ASA in GNS3 1.3 we need to create the virtual hard drive where the ASA software will live.
On my Mac I went browsed to the Qemu directory:
and ran qemu-img to create a 512MB virtual solid state drive.
Creating the ASA in GNS3
Next, I fired up GNS3 as root:
The next thing we need to do is actually create the ASA appliance in GNS3. I pressed Command + , (comma) to open my GNS3 preferences and chose QEMU VMs from the drop down menu in the left pane.
In the right pane, I clicked New and picked ASA 8.4(2) from the QEMU VM type drop down menu.
Give your ASA a cute little name. I’m not feeling very creative today so I just named it the drab name: ASA.
Keep the default QEMU binary and memory settings and go on to the Linux boot specific settings.
If you correctly unpacked the .bin files you should have a -initrd.gz file which is your RAM disk and a –vmlinuz file which is your Kernel image file. Browse to both files and click Finish.
Now we just need to do a few little things to make sure everything works.
Back in the GNS3 QEMU VMs preferences pane click Edit to modify the VM you just created.
Your General Settings should show:
- Your VM Name
- RAM which should be 1,024MB
- Qemu binary should be the x86_64 version.
Under the HDD tab, browse to the 512MB virtual flash drive you created earlier.
Gns3 Asa 8.4 Image Download
Under the Network tab, crank up the interfaces to 8 and make sure the adapter type is set to Intel Gigabit Ethernet (e1000).
By the way, if after creating the wizard you notice your ASA get’s stuck in a long reboot loop, try dropping the adapters from 8 to the default 4. When I changed mine to 8 I noticed a lot of IRQ adapter conflicts. So you might have to use 4.
And finally under the Advanced settings tab make sure Activate CPU throttling is disabled and the the additional settings options says this exactly:
And now my friend. You are done!
Click OK and drag out your shiny new ASA 5520 appliance onto the GNS3 workspace.
And check it out now – it’s the funk soul brother…
This tutorial will help you setup your CCNA, CCNP or CCIE Security Lab with Cisco ASA 8.4 which is currently supported by the latest version of GNS3.
- Download the source files here.
- Extract them and place them in the GNS3 images directory.
For example : C:Users<user name>GNS3imagesQEMU - Go to Edit -> Preference -> QEMU -> QEMU VMs
- Click New -> Give Name -> Set type
Love Image Download
- Assign RAM (>=1024 MB)
- Select the boot files.
Kernel Command Line :Options :
- Press Ok. Then Drag Cisco ASA to workspace.
- Right click on it. Click start.
- Go to console view. If everything is configured correctly it will start booting. If anyone is curious to see the boot sequence click here.
- Default license is accepted.
- Issue the following commands sequentially.
- This will take 15-20 minutes roughly. It could take more time.
- During the reboot, it will take some time during key validation phase. Nothing to be worried. Wait for atleast 15-20 mins.
- Now your ASA will be licensed properly.
So now you have a full fledged Cisco ASA Firewall running inside your computer.