How to add ASA Firewall to GNS3

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

Setup GNS3

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

GNS3 Images

3. Option 2.

Setup GNS3 Step By Step

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Test GNS3 Settings

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

GNS3 Idle PC

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a CiscoCCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOSimages, (I will just ignore you!).

GNS3 Router Images

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

IOS Images for GNS3

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

GNS3 IDLE PC calculation

9. When complete click Close > Save > Close.

IDLE PC

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Access Router in GNS3

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcore.

11. Edit > Preferences.

nEdit GNS Properties

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

GNS 3 Setup Host

13. Save > OK > Apply.

Linux Microscore Qemu Guest Settings

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

GNS 3 Host Cmd Window

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

Set the Kernel cmd line option to;

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

GNS 3 Add ASA Firewall

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

Ad Virtual ASA to GNS3

17. Finally select the vmlunuz file > Open.

GNS3 ASA vmlinuz File

18. Save > OK > Apply.

ASA 8.4 Add to GNS3

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

ASA Activation Key

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

ASA Licences Features in GNS

gns3 to asa internet steps

To Allow ICMP (Pings) from the inside Workstation as it will be blocked by default: 

ASA(config)# class-map icmp-class

ASA(config-cmap)# match default-inspection-traffic

ASA(config-cmap)# exit

ASA(config)# policy-map icmp_policy

ASA(config-pmap)# class icmp-class

ASA(config-pmap-c)# inspect icmp

ASA(config-pmap-c)# exit

ASA(config)# service-policy icmp_policy interface outside

 

To Permanently save the ASA config in GNS3: 

copy running-config disk0:/.private/running-config
copy disk0:/.private/running-config disk0:/.private/startup-config
conf t
boot config disk0:/.private/startup-config

Advertisements

Posted on July 12, 2014, in GNS3, Security - CCNA / CCNP Security. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: