«

»

Feb 21

Cisco ASA 8.4 on GNS3

I struggled quite a lot of get ASA 8.4 working on GNS3. I had 8.0(2) working and was helping to test the configurations and VPNs but now wanted to get 8.4 running such that I can prepare myself for new NAT statements and migration from 8.0(2) to 8.4(2).

Here are the steps to get it working. All links to any images or keys are removed for legal reasons. Once its gone its gone.

1. Download the ASA 8.4 files for GNS3 from the following address

I am afraid you will have to search google for reputable sources to get firewall ASA842 image. Please dont ask here for the image.

2. Configure GNS3 as following. ( I am using Ver 0.8.2 Beta 2, Also Tested 8.3 with Windows 7 64 bit which worked without any issues).  Type the code below into relevant fields

 

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
 
Configure the paths for Initrd and Kernel to where you have extracted the files.
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Once the firewall is up and running use following activation keys

Again the activation keys are in public domain so get it using your search capabilities.

 

It will take a while (10-15 min) to accept the second activation key and will take the same time at first reboot.

That's all done and we have a working firewall to play with.

 

 

Now if you want to run two ASAs, you will have to change the Qemu options on the second firewall as below

Qemu Options: -vnc :2 none -vga none -m 1024 -icount auto -hdachs 980,16,32

 

Troubleshooting:

Please check the comments at the end of post where you will find different ways to resolve issues if you face any. Specially very helpfull comments from GD and are detailed below

 

Download and install the latest version of GNS3 0.8.2 after that download the •Qemu 0.13.0 patched 32 bits binary for Windows from
 
 
Copy and replace all downloaded qemu files and folders with existing qemu files and folders under GNS3 folder.

 

After you have ASA running in GNS and want to play with ASDM, here is the guide to follow

http://www.xerunetworks.com/2012/03/asa-84-asdm-on-gns3-step-by-step-guide/

 

and if you want to connect two GNS3 networks running on two different PCs, use following

http://www.xerunetworks.com/2012/03/connect-gns3-network-to-real-networks-other-gns3-network/

I have posted a LAB Guide for migrating NAT from 8.2 to 8.3/8.4 Version, which is still work in progress but has a lot of stuff already added into it

http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

349 comments

13 pings

Skip to comment form

  1. Amit

    Hi,
    Thanks for this awesome post and the download link. However, do I need to put activation-keys every time I want to use ASA, or is there another way?
     
    Thanks again.
    Amit.

    1. xerunetworks

      Nope you dont need to enter each time. When you enter the keys first time and confirm it(takes 10 min for confirmation promt to come ip). Save the configuration by using ‘wr’ command and also save the project. When you will stop/start the ASA, it will start and will wait again for keys verification but once loaded it would just work and doesnt need confirmation again.

      1. Amit

        Thanks for ur response. I will just keep a sample project with 2 ASAs ready to go.
         
        Best regards,
        Amit.

  2. Hussein

    Hi,
    My ASA runs great. I can  run few of them at the sametime also. However, If i connect asa to another device and try to start, It will start,  but the console does not come up.
     
    Any solution?

    1. xerunetworks

      it looks like to be crashing the server, can you try with one ASA first

      1. isahak

        Hi,
        It was working. However, since yesterday it has stopped working. I tried many different things. however, could not make it work.

        1. Kenny29

          Hello,
          I have exactly the same issue (ASA start with console only if no device is connected and start without console if a device is connected).
          Someone has solved this problem ?
          My lab is on a Vitual Machine Ubuntu based on Esxi host if it can help.
          Thx

  3. Justin

    I noticed you have the asa802 files too. Could you please post a link for those?

      1. Justin

        Thanks!

      2. harold

        Guys,
        I am unable to get GNS3 & ASA 8.4 working on my WIN 7 64 bit 8 gig ram working. I keep getting the "lost communication with qemuwrapper server 127.0.0.0.1 – It may have crashed" error.  I followed the steps as outlined above. What's missing? Any help would be greatly appreicated! thanks in advance.

  4. Meekail

    Has anyone tried to configure failover using the 8.4 and activation keys provided here in GNS3? I tried and it did not work for me. Failover will not get enabled on any firewall.
    Thanks.
     
    ~M

    1. xerunetworks

      Just tested failover and no issues at all, make sure you are using the keys and waiting for them to be applied. Here is how it should work 1. Enter first key and confirm 2. Enter second key and it will ask you to wait, after 5-10 minutes it will ask you to confirm. Confirm and use 'wr' command to save config. 3. Reload the firewall after saving config 4. Firewall will reload and will wait again for key verification. after 5-10 min it should go through the startup routine. 5. Once loaded, go to enable mode and use following for failover on Primary int gi1 no shut exit failover failover lan unit prim failover lan interface failover gi1 failover replication http failover link failover gi1 failover interface ip failover 20.20.20.1 255.255.255.252 standby 20.20.20.2 Do the same to secondary firewall just change the command 'failover lan unit prim' to 'failover lan unit sec'.

      Topology

      ASA1-Int gi1 <—————-> Int gi1-ASA2

       

      1. Meekail

        Not sure what I am missing but I am not able to make this failover working.. They are directly connected but I only see the outgoing packets with no incoming packets and therefore, both are not able to see each other. Any help!?
        Secondary:
        FailoverB(config)# show run fail
        FailoverB(config)# show run failover
        failover
        failover lan unit secondary
        failover lan interface failover GigabitEthernet2
        failover replication http
        failover link failover GigabitEthernet2
        failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
        FailoverB(config)#
         
        FailoverB(config)# show int gig2
        Interface GigabitEthernet2 "failover", is up, line protocol is up
          Hardware is Linux Ethernet Dev, BW 100 Mbps, DLY 100 usec
                (Full-duplex), (100 Mbps)
                Input flow control is unsupported, output flow control is unsupported
                Description: LAN/STATE Failover Interface
                MAC address 0000.ab43.1003, MTU 1500
                IP address 10.1.1.2, subnet mask 255.255.255.0
                0 packets input, 0 bytes, 0 no buffer
                Received 0 broadcasts, 0 runts, 0 giants
                0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
                0 pause input, 0 resume input
                0 L2 decode drops
                558 packets output, 23436 bytes, 0 underruns
                0 pause output, 0 resume output
                0 output errors, 0 collisions, 0 interface resets
                0 late collisions, 0 deferred
                0 input reset drops, 0 output reset drops
                input queue (blocks free curr/low): hardware (0/0)
                output queue (blocks free curr/low): hardware (0/0)
          Traffic Statistics for "failover":
                0 packets input, 0 bytes
                558 packets output, 15624 bytes
                0 packets dropped
              1 minute input rate 0 pkts/sec,  0 bytes/sec
              1 minute output rate 0 pkts/sec,  6 bytes/sec
              1 minute drop rate, 0 pkts/sec
              5 minute input rate 0 pkts/sec,  0 bytes/sec
              5 minute output rate 0 pkts/sec,  6 bytes/sec
              5 minute drop rate, 0 pkts/sec
        FailoverB(config)#
         
         
        FailoverB(config)# show fail
        Failover On
        Failover unit Secondary
        Failover LAN Interface: failover GigabitEthernet2 (up)
        Unit Poll frequency 1 seconds, holdtime 15 seconds
        Interface Poll frequency 5 seconds, holdtime 25 seconds
        Interface Policy 1
        Monitored Interfaces 0 of 60 maximum
        failover replication http
        Version: Ours 8.4(2), Mate Unknown
        Last Failover at: 21:09:52 UTC May 18 2012
                This host: Secondary – Active
                        Active time: 2198 (sec)
                Other host: Primary – Not Detected
                        Active time: 0 (sec)
        Stateful Failover Logical Update Statistics
                Link : failover GigabitEthernet2 (up)
                Stateful Obj    xmit       xerr       rcv        rerr
                General         0          0          0          0
                sys cmd         0          0          0          0
                up time    
         
        ========================================================================
        Primary:
        FailoverA# show run failover
        failover
        failover lan unit primary
        failover lan interface failover GigabitEthernet2
        failover replication http
        failover link failover GigabitEthernet2
        failover interface ip failover 10.1.1.1 255.255.255.252 standby 10.1.1.2
        FailoverA#
         
        FailoverA# show interface gigabitEthernet 2
        Interface GigabitEthernet2 "failover", is up, line protocol is up
          Hardware is Linux Ethernet Dev, BW 100 Mbps, DLY 100 usec
                (Full-duplex), (100 Mbps)
                Input flow control is unsupported, output flow control is unsupported
                Description: LAN/STATE Failover Interface
                MAC address 0000.ab46.d003, MTU 1500
                IP address 10.1.1.1, subnet mask 255.255.255.252
                0 packets input, 0 bytes, 0 no buffer
                Received 0 broadcasts, 0 runts, 0 giants
                0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
                0 pause input, 0 resume input
                0 L2 decode drops
                160 packets output, 6720 bytes, 0 underruns
                0 pause output, 0 resume output
                0 output errors, 0 collisions, 0 interface resets
                0 late collisions, 0 deferred
                0 input reset drops, 0 output reset drops
                input queue (blocks free curr/low): hardware (0/0)
                output queue (blocks free curr/low): hardware (0/0)
          Traffic Statistics for "failover":
                0 packets input, 0 bytes
                160 packets output, 4480 bytes
                0 packets dropped
              1 minute input rate 0 pkts/sec,  0 bytes/sec
              1 minute output rate 0 pkts/sec,  6 bytes/sec
              1 minute drop rate, 0 pkts/sec
              5 minute input rate 0 pkts/sec,  0 bytes/sec
              5 minute output rate 0 pkts/sec,  6 bytes/sec
              5 minute drop rate, 0 pkts/sec
        FailoverA#
         
         
        FailoverA# show fail
        Failover On
        Failover unit Primary
        Failover LAN Interface: failover GigabitEthernet2 (up)
        Unit Poll frequency 1 seconds, holdtime 15 seconds
        Interface Poll frequency 5 seconds, holdtime 25 seconds
        Interface Policy 1
        Monitored Interfaces 0 of 60 maximum
        failover replication http
        Version: Ours 8.4(2), Mate Unknown
        Last Failover at: 21:25:17 UTC May 18 2012
                This host: Primary – Active
                        Active time: 674 (sec)
                Other host: Secondary – Failed
                        Active time: 0 (sec)
        Stateful Failover Logical Update Statistics
                Link : failover GigabitEthernet2 (up)
                Stateful Obj    xmit       xerr       rcv        rerr
                General         0          0          0          0
                sys cmd         0          0          0          0
                up time         0          0          0          0
                RPC services    0          0          0          0
                TCP conn        0          0          0          0
                UDP conn 
         
         
         
         

        1. Meekail

          Never mind, I found and fixed the issue. Failover was not working because I did not configure anyother interface on the firewall.The moment, I configured the inside interface, failover started working.

          1. xerunetworks

            Good to know it worked for you. I should have mentioned this to you that whenever I bulit toplogy for ASA failover in GNS3, I always used second interface connect via switch along with one direct for failover.

  5. Ron Van Stone

    another update I decide to check qemu and run this in a dos command

    c:\GNS3>qemuwrapper-start.cmd
    Qemu Emulator Wrapper (version 0.8.2)
    Copyright (c) 2007-2011 Thomas Pani & Jeremy Grossm
    Qemu path (qemu) is valid
    Qemu-img path (qemu-img) is valid
    Qemu TCP control server started (port 10525).
    Listening on 127.0.0.1
    Connection from ('127.0.0.1', 52631)
    Connection from ('127.0.0.1', 52632)
    Shutdown in progress…
    Shutdown completed.
    Qemu path is now C:\GNS3\qemu.exe
    Qemu-img path is now C:\GNS3\qemu-img.exe
    !! ASA1.console = 2000
    !! ASA1.kernel = C:\GNS3\ASA\asa842-vmlinuz
    !! ASA1.netcard = e1000
    !! ASA1.ram = 1024
    —————————————-
    Exception happened during processing of request fro
    Traceback (most recent call last):
      File "SocketServer.pyc", line 560, in process_req
      File "SocketServer.pyc", line 322, in finish_requ
      File "SocketServer.pyc", line 617, in __init__
      File "qemuwrapper.py", line 684, in handle
      File "qemuwrapper.py", line 704, in handle_one_re
      File "qemuwrapper.py", line 693, in __get_tokens
    Error: newline inside string
    —————————————-

  6. Ron Van Stone

    Folks,
    I cannot get the ASA to work on my Windows 7, 64 bit with 8 meg of memory GNS 8.2 to work can someone help ?
    The QEMU test setting "Qemuwrapper, qemu,qemu-img and pemu have successfully started . But get "error connection lost constantly" Qemu ASA settings are" Ram 1024"," number of nic 6" "Nic Model e1000" " Qemu options "-vnc none  -vga none -m 1024 -icount auto -hdachs 980,16,32" " Initrd C:\GNS\ASA\asa842-initrd.gz" " Kernel C:\GNS\ASA\asa842-vmlinuz" Kernel cmd line -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
     
    I keep getting Error: lost communication with qemuwrapper server localhost It may have crashed. Checkthe qemuwrapper server output. Exiting
     

    1. Steve

      Did you ever find an answer to this problem. It is the one I keep getting.
      Steve

    2. angle

      I have the same problem, someone told  me that I had to reinstall gns3 0.82 using default directory, its too bad.

      1. evan

        Hi Angle,
        I'm not sure it's same exactsituation as the Windows example. I don't get the message "Lost Connection". The ASA is running it just disappears from the Console when any other device is added. The QEMU Wrapper/server is still running. I do see the message "-icount needs argument" in the Terminal window of Ubuntu. I just have no idea of what to put in the QEMU options. Everything else in GNS3 works perfectly. I don't see why reinstalling will make any difference.
        Any other thoughts?
        Thanks
        ev
         

        1. angle

          Hi,evan
          i run it in win7,sorry.

          1. evan

            Thanks for the response.
            I'd have to run it on a VMware machine on my MAC. GNS3 just does not work properly in Windows 7 with my config. I can't believe this is so difficult for everyone.
            I've posted on all the relevant GNS 3 site and no one seems to be able to help with my config.
            If I had the $ I'd build a Win 7 super machine but I don't.
            ev

    3. Ron Van Stone

      Fixed: Now it should be 'x' rather than unicode in the option for Kernel mask=0x01"

      Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb

  7. xming

    Hello,

    when I start a cisco asa in gns3 and I connect to the console, the connection is successfully displayed. You can configure the asa and everything is wonderful.
    When I close the console connection and open the console again, you can not open the console. I have to reboot the asa.

    With a router, I can open a console several times parallel. A Router run with DYNAMIPS, the ASA with QEMU. I would also like the asa can work in parallel with multiple consoles is that possible ?

    Thank You

    1. xerunetworks

      ASA console is different from routers as it runs in Qemu

      1. xming

        Hey malikyounas,
        yes that is known to me.
        1) The question is, is there a possibility in qemu to connect to several times ?
        2) You also have the problem that if you close the console and then open it asa no connection is made more ?Only when I restart the asa I can connect again.
        Thanks
         

        1. xerunetworks

          1. Might be way but I don’t know one.
          2. Not sure why its behaving like that on your machine, please verify Qemu options. Start a new topology with just one ASA and close/open the console window. It doesn’t seem to be having any issue as I try it.

  8. Hussein

    Hi,
    Thanks for the great post. However, for me the vlan section is not working. I do not see any option for VLAN.
    It is not  letting me create new vlans.  Does anyone know why?
     

    1. xerunetworks

      Please copy the commands in here which you used to create VLANs.

  9. SilverFox

    Malikyounas,
    I noticed an issue when I use ASA 8.4.2  and VPCS (PC simulator) together.  There is some kind of port conflict.  If I start GNS3 with ASA8.4.2 first, ASA loads up and runs —-  but then if I start VPCS, I get an error on the VPCS screen like this    open port 200001 error [Address already in use]
    On the other hand, if I start VPCS first, it loads up properly on all ports (20000 – 20008, 30000 – 30008) and no errors,  ===  but then when I try to start ASA, it fails to launch QEMU and if I try to connect to its console, it errors with     The remote system refused the connection          Sure looks like ports are in conflict.
    So I tried this —  in GNS3 prefs, I changed the QEMU Base UDP port to 21000  (instead of 20000 default) and now there are no errors!    I hope this doesn't mess me up later, after making this change, it doesn't matter which program is launched first, they both startup without any conflict.  I did not see this type of problem starting up ASA 8.0.2  previously, only when I started using 8.4.2.

    1. xerunetworks

      Thank you so much for sharing this,  it wil help many. I havent tried ASA with simulator so never knew about this issue but grt tip.

  10. SilverFox

    ASA 8.4.2 worked fine using all-in-one 0.8.2  activated the key and everything was enabled. This is on a VMware machine running Server 2008 R2, with 3 GB RAM.  Only problem is that it won't save the config, when I start the project over again, it's back at square one.  What am I missing on save?
    I tried copy run disk0:/.private/startup-config, I thought it was saving .  Tried   wr mem,   copy run start  …..
    I used TFTP to transfer asdm-647.bin, saw it in the directory, but when I start the project again, it's missing. Thanks for any help.

    1. xerunetworks

      The mostly likely seems to me is that somehow flash file is getting overwritten or wiped out when you close the project. Can you please confirm if you did select the option of 'Save nvram and virtual hardrives' at the start of the project. Also, once you use 'wr mem' and its finished, save the project and then start again to see if its doing the same.

      The other possible thing you can do is to copy the flash file after you use 'wr mem' and the save/close the project. When starting again you can compare both flash files to see if there is diff in size on both files, it will give a clear idea to see if its overwritten or somehting.

      1. SilverFox

        Thanks,  I seem to have it saving correctly now.   I tried several combinations and sequences of commands, but like you mention,   I found the reliable way is to use  'wr mem'  and then save the project (while it is still active!)  This is working very reliably with ASA 8.4.2    And yes, on all of my projects, I make it a habit to always select 'Save NVRAM and hard drives'
        Also, If you Stop all the devices, then choose 'Save Project as'  (under some other folder or name) it reliably works.   I think what threw me off, was the 'copy run disk0: etc '  command in 8.0.2

Leave a Reply

%d bloggers like this: