GNS3 : How to emulate ASA 8.4(2) under QEMU
In this blog post, i will cover in detail how you can setup QEMU settings under GNS3 to emulate ASA 8.4(2). It has been made possible by a user “dmz” from 7200emu.hacki forum. Credit goes to him . Basically we will be using a patch which will automatically extract the kernel and initrd of ASA version 8.4(2). You can use resulting ASA initrd & kernel on any OS where you have installed GNS3.
DISCLAIMER: All information provided here are solely for self-education and investigation purposes. Provided AS-IS without any warranties.
I’m using Ubuntu 10.04 (LTS) although you can use pretty much any Linux Distros available out there.
Cisco Secure ACS 5.X Deployment Guide E-Book
Software Versions Used:
Here we are using latest GNS3 build 0.8.2. Cisco Software Versions you need (download from you CCO account ) are :
- asa842-k8.bin
- asdm-645-206.bin
Step 1:
(Right Click to view large image)
Download the script here , & first unpack the file (resulting in a shell script) and then make it executable as shown here
chmod +x repack.sh
Step 2:
Run the script as a Root user.
This will create three files in current directory as shown above
- asa842-vmlinuz – extracted kernel
- asa842-initrd-original.gz – original extracted initrd
- asa842-initrd.gz – patched initrd
Step 3:
Next move to GNS3 & Specify following values :
Qemu Options : -icount auto
Initrd : asa842-initrd.gz
Kernel :asa842-vmlinuz
Kernel cmd Line : ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Step 4 : Launch GNS3 Topology
Launch GNS3 topology , start ASA & then console into it.
Step 5 : Basic ASA Settings
Configure basic hostname & interface configurations & make sure ‘show version’ output reveals proper ASA Model information.
Basic Interface settings are as follows :
In following blog post, i will cover setup for ASDM, licensing & some best practices.
Rate if helpful ! Thanks!
Related Posts
Tags: asa 8.4(2), ASDM, CCIE Security v4, cisco secure acs 5.X deployment guide, NAT, Qemu, ubuntu
Cisco Secure ACS 5.X Deployment Guide E-Book
FlexVPN Lab Guide/Handbook
CCIE Voice Lab Practice Guide
RSS
Facebook
Twitter
Very Useful ! thanks
Hey Tariq , can u show me how can i practice NAT on this new version ?
thanks
@Riz, refer to this post.
http://www.brainbump.net/Understanding-CiscoASA-Post-8.3-NAT-Configuration
I will add more NAT scenarios in near future.thanks
Is there any way to control high cpu utilization on QEMU ?
Great post ! could you please post link if possible
Use cpulimiter for Linux or BES for winodws. I will post in ASDM tutorial with details.
Just google ‘asa842-k8.bin’ & you will get first link with what you want
Thanks Tariq,
I got the ASA to load but when I bring another device say a Router and connect it to the ASA, Only the Router appears in the console. I can load the ASA and console in if it’s the only device. That’s cool but it defeats the purpose of the Firewall. Do you have any thoughts about this?
Again the ASA comes up fine but only if it’s the only Device.
Thanks Again.. Oh let me say the only way I can make it work is by launching QEMU wrapper in the Terminal with the Python /x/x/ qemuwrapper.py command.
I haven’t run into this. By default, i believe ASA/IPS (Qemu) devices are assigned 300X ports e.g 3000 , 3001 etc but Routers are assigned 200X i.e 2000 , 2001 in GNS3. Did you try to change console port on router ?
Thanks Tariq,
I’ll try that next time and report back… : – )
Hi Tariq,
I tried what you suggested and played around with the console port on the ASA and Router. Same thing. The ASA disappears from the console when a Router is connected. I can see it trying to come up for a split second. The Qemu server is still running from Root@evan- xxxxxx so it’s something in the qemu options having to do with graphics? I tried -nographic also. It’s set now to -icount auto. I have no idea what to try.
Is there a chmod in the root to tell it to do something…?
Thanks for any help up front. Ubuntu 12.04, Gns3 0.8.3, ASA8.42
Again the ASA comes up when it’s the only device.
ADDitional comments..
Hi Tariq,
Just FYI I can connect plenty of routers in GNS3.(1700 -7200 all of them )
I have it talking to the Internet and my home lab rack of gear.
The only thing is this Darn ASA problem in Gns3 console.
I’m sure we can figure it out. I hope i hope.. ha ha ha
Thanks again.
evan
i’m using ubuntu 12.04.
i did the above steps, but when i power on the ASA 8.4.2, nothing happens.
does GNS3 need to have latest pemu/qemu installed?
if so, any tutorial on how to do that?
Hi Tariq,
Just installed Ubuntu 12.04, GNS 0.8.3. Thi works for a router, so tried to load up ASA 8.4.2 using your guide. When I try to start the ASA nothing happens,it wont start. There are no error message or any indication that there is a problem.
Is there any debuging on GNS to see if I can figure out why its no starting?
Thanks,
Andy
Update to previous post, since I installed this I’ve found the option on the general tab to test qemu. which fails, so I think this is my issue. Am looking at this now.
Hi please respond. Still trying…..
When I console into the ASA , nothing happens…only the following
Trying 127.0.0.1…
Connected to 127.0.0.1.
Escape character is ‘^]’.
This doesn’t appear to work for me. I ran this up in my Debian VM and I actually get differing file sizes for the created files.
root@Archibald-VM:/home/colabus# ./repack.v4.sh asa842-k8.bin
Repack script version: 4
no syslinux/cdrtools – ISO creation skipped
1359344+0 records in
1359344+0 records out
1359344 bytes (1.4 MB) copied, 7.23295 s, 188 kB/s
23697936+0 records in
23697936+0 records out
23697936 bytes (24 MB) copied, 120.707 s, 196 kB/s
/tmp/tmp.lP6tS7Io0R /home/colabus
gzip: /home/colabus/asa842-initrd-original.gz: decompression OK, trailing garbage ignored
114476 blocks
114476 blocks
114476 blocks
/home/colabus
root@Archibald-VM:/home/colabus# ls -l asa842*
-rw-r–r– 1 root root 23519467 Apr 21 17:40 asa842-initrd.gz
-rw-r–r– 1 root root 23518049 Apr 21 17:39 asa842-initrd-original.gz
-rw-r–r– 1 colabus colabus 25159680 Apr 21 17:33 asa842-k8.bin
-rw-r–r– 1 root root 1359344 Apr 21 17:37 asa842-vmlinuz
I’ve checksumed the file against Cisco.com to rule that out. I’ll give it another go now.
Cancel that. The issue must have been the paste of the kernel command line. “0×01″ working now.