«

»

Feb 21

Cisco ASA 8.4 on GNS3

I struggled quite a lot of get ASA 8.4 working on GNS3. I had 8.0(2) working and was helping to test the configurations and VPNs but now wanted to get 8.4 running such that I can prepare myself for new NAT statements and migration from 8.0(2) to 8.4(2).

Here are the steps to get it working. All links to any images or keys are removed for legal reasons. Once its gone its gone.

1. Download the ASA 8.4 files for GNS3 from the following address

I am afraid you will have to search google for reputable sources to get firewall ASA842 image. Please dont ask here for the image.

2. Configure GNS3 as following. ( I am using Ver 0.8.2 Beta 2, Also Tested 8.3 with Windows 7 64 bit which worked without any issues).  Type the code below into relevant fields

 

Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
 
Configure the paths for Initrd and Kernel to where you have extracted the files.
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Once the firewall is up and running use following activation keys

Again the activation keys are in public domain so get it using your search capabilities.

 

It will take a while (10-15 min) to accept the second activation key and will take the same time at first reboot.

That's all done and we have a working firewall to play with.

 

 

Now if you want to run two ASAs, you will have to change the Qemu options on the second firewall as below

Qemu Options: -vnc :2 none -vga none -m 1024 -icount auto -hdachs 980,16,32

 

Troubleshooting:

Please check the comments at the end of post where you will find different ways to resolve issues if you face any. Specially very helpfull comments from GD and are detailed below

 

Download and install the latest version of GNS3 0.8.2 after that download the •Qemu 0.13.0 patched 32 bits binary for Windows from
 
 
Copy and replace all downloaded qemu files and folders with existing qemu files and folders under GNS3 folder.

 

After you have ASA running in GNS and want to play with ASDM, here is the guide to follow

http://www.xerunetworks.com/2012/03/asa-84-asdm-on-gns3-step-by-step-guide/

 

and if you want to connect two GNS3 networks running on two different PCs, use following

http://www.xerunetworks.com/2012/03/connect-gns3-network-to-real-networks-other-gns3-network/

I have posted a LAB Guide for migrating NAT from 8.2 to 8.3/8.4 Version, which is still work in progress but has a lot of stuff already added into it

http://www.xerunetworks.com/2012/03/asa-8384-nat-migration-lab-guide/

349 comments

13 pings

Skip to comment form

  1. gogi100

    i have configured asa8.4.2 with asdm 6.4.1 in gns3. my problem is when i start putty often my putty is blocked. why?

    1. gogi100

      also, i can't start asdm 6.4.1. i'm installed them but he doesn't work. why?

  2. Nikola

     
    Hi,

    I have followed your instructions, and ASA is working fine EXCEPT one huge problem. I am not able to connect her with any other device except other ASA. So, if i can connect ASA-ASA Everything is fine, but if i want this topology ASA-ROUTER, ping is not working, ARP table is empty. Interfaces are same in both  topologies…. Anyone have this problem ?
     

    1. xerunetworks

      I had suggested following for someone else having similar issue.Give it a try first, let us know if it works
      ‘Well, try two things, first assign secruty level of interface which is connected to R1 to 100 and apply an ACL on interface allowing IP any any, this will make sure no security restriction stopping packet, also try saving the project and starting the devices again, i found sometimes it doesnt ping on first topology start. One more thing you can do os to capture packets on the link (right click on link between asa and r1 and slect capture) do the ping again after capture and see if you can find any packets travelling over the link in wireshark’

    2. GD

      Hi
      Give interface name inside it will change security level to 100 and do not connect router and ASA interface directly (means using manual options in gns3) you must use switch if you want to connect Router with ASA
      Router—————–Switch——————–ASA  
      I’m using Routers and ASA together without any issue

      1. Nikola

         
        Hi,

        First, thanks for you help. I have tried following :

        1) security level 100, nameif inside, acl

        2) saving project and than restart it.

        3) using switch between asa and router.

        4) I entered " icmp permit any inside "

        Nothing works. I have some clues:
        Arp table on ASA is empty, ARP table on router for ASA is in Incomplete state, MAC table on switch sees only router interface mac-address, ASA and router are sending arp, but do not receive any replay, if i write statically arp entries on router and asa, nothing happend, ICMP packets are sent from ASA and from router but other side doesn't see them. Switch doesn't see ASA….
        🙁 

  3. ChickenMusket

    This worked great, thank you. I'm using Ubuntu 11.04, 64bit. GNS3 0.8.2 and patched qemus to 0.11.0. It's been a long hard struggle (starting as knowing nothing of linux)–but worth it as Windows 7 is inferior to Ubuntu in handling GNS3.
    I'm another guy who can't get the vlans working. I'm also puzzled as to why it recognizes the interfaces as gigabit etherfaces when it should be fast ethernet.
    Interface                  IP-Address      OK? Method Status                Protocol
    GigabitEthernet0           unassigned      YES unset  administratively down up  
    GigabitEthernet1           unassigned      YES unset  administratively down up  
    GigabitEthernet2           unassigned      YES unset  administratively down up  
    GigabitEthernet3           unassigned      YES unset  administratively down up  
    GigabitEthernet4           unassigned      YES unset  administratively down up  
    GigabitEthernet5           unassigned      YES unset  administratively down up
    These are supposed to be layer 2 interfaces. You assign them to vlans and assign addresses to the vlan, right? But it doesn't recognize…
    CCNAS-ASA(config)# interface vlan 1
                                                       ^
    ERROR: % Invalid input detected at '^' marker.

     
     

    1. xerunetworks

       

      First, 5520 have Gigabit interfaces. Second you don't need to create any vlan on the ASA. The VLANs works with ASA in two ways
       
      1. You assign a switch interface to a vlan, connect this interface to ASA interface and thats it. If the ASA interface is assinged IP from subnet whats being used in that VLAN then it will work as it. No more configuration required on ASA.
       
      Switch-Interface Fa0/1 (VLAN2)———–>ASA-Int Gi0
       
      2. You configure a switchport as trunk link, and configure subinterface on ASA for each VLAN
       
      interface GigabitEthernet0/1
       description Test
       speed 1000
       duplex full
       no nameif
       no security-level
       no ip address
      !
      interface GigabitEthernet0/1.5
       description VLAN5
       vlan 5
       nameif VLAN5
       security-level 90
       ip address 192.168.5.1 255.255.255.0 standby 192.168.5.2
      !
      interface GigabitEthernet0/1.6
       description VLAN 6
       shutdown
       vlan 6
       nameif VLAN6
       security-level 60
       ip address 192.168.6.1 255.255.255.0 standby 192.168.6.2
       
      Also, keep in mind you will have to configure a different VLAN as native on the trunk if you want to use VLAN1 on ASA
       
      1. ChickenMusket

        Thank you malikyounas.
        For the sake of the labs we're doing, we have to have this vlan thing functioning. The ASA on this page works beautifully besides this vlan issue.  Then an ASA I found somewhere else, works with vlans, but doesn't have other functionality required.
        I've been at this for hours, tried many things, searched for many hours, but no luck, yet.

  4. virat

    hey i got a priblem with activation.
    everytime i add new asa in the gns i need to activate that asa which is taking too much time.
    please give me some solution….

    1. xerunetworks

      You need to keep in mind that whenever you drap a new ASA on GNS3, its a new device from scratch and needs activation, what you should is detailed below
      1. Create a base topology with 2-3 firewalls on it and save it for using as startup of every project
      2. Use the supplied keys to activate the devices the first time, (Note: it will take time to activate), then use the ‘wr’ command, save the project and reload the firewalls one by one.
      3. It will take time to re-start, but once started, save the project, wr the config again and that’s it.
      4. Now, you can use ‘save as’ option and use it for some new topology you want to work at. Remove the unneeded firewalls if you just need one.

  5. Steve

    Hi, I'm really not sure why you mean by your sentence below. I should extract the files and copy them over the files that were part of the original install correct? I did it this way, but it seemed like older files were overwriting newer files.
    Copy and replace all downloaded qemu files and folders with existing qemu files and folders under GNS3 folder.
     
    Thank you!
    Steve

    1. xerunetworks

      This tip was offered by a user GD and you will find his comments in the section where he detailed the whole process but anyway what he means that you install GNS3 first ( all in one instlal)  and then overwrite with patched Qemu

      1. Steve

        I am getting the "Error: lost communication with qemuwrapper server 127.0.0.1  It may have crashed. Check the qemuwrapper server output " Issue.
        1. How do you check the qemuwrapper server output?
        2. I don't see a good answer to this question on this page. I see that Harold has asked, but I saw no response to him.
        Thank you for the quick responses.
        Steve

  6. Vikas

    For those having console problems…

    TRY TO CHANGE memory from 1024 to 512… (RAM: 512 MiB and -m 512)

    It worked for me.

  7. SK

    Thank you very much for this post.. It is very helpful.

  8. Gregor

    Hi Guys,
    I installed asa and everything was good. Then I read that i should update quemu to 0.13 patched. After that asa does not work.
    Did you update that ???
    Regards

    1. xerunetworks

      Rule#1 If its workingdont touch it
      Nope it worked for me without update, you can still reinstall it though

  9. Gaurav Sood

    Thanks for this awsome post.
    The only issue i am facing ASA is not able to ping the device connected to it.
    Example
    ASA(g0)———–(f0/0)R1
    From ASA we are not able to ping R1.
    I have installed it over linux(Kubuntu).
    Any thoughts or ideas ?
     

    1. xerunetworks

      Well, try two things, first assign secruty level of interface which is connected to R1 to 100 and apply an ACL on interface allowing IP any any, this will make sure no security restriction stopping packet, also try saving the project and starting the devices again, i found sometimes it doesnt ping on first topology start. One more thing you can do os to capture packets on the link (right click on link between asa and r1 and slect capture) do the ping again after capture and see if you can find any packets travelling over the link in wireshark

  10. Muhammad

    Hi All,
    I am having the console either terminating or just sitting there not doing anything.  Only running a single ASA 842 with nothing connected.  My environment is Windows Vista Home Basic, 2GB RAM.  If looks like somthing is blocking the execution as I have had problems starting Dynamips as well.  Anyone experienced something similar please share the fix or workaround (Note: I was able to work dynamips in an XP virtual machine, but so far this is not working there as well).
    Thanks.

    1. Muhammad

      Just to update.  My problem is resolved for now.  The following worked for me:
      Disable IPv6 protocol on my network adapter (Thanks to http://forum.gns3.net/topic834.html)
      However, if it doesn't work for you then please note the following additional actions that I have taken for preventive reasons:
      1. Re-install GNS3 0.8.2
      2. Run GNS3 with Administrative privilleges (I assume most people are doing that anyways)
      BTW I have not used the QEMU 0.13 patched version yet.  Will do that and see if it still works or breaks it.
      However, in this installation of GNS3 my dynamips wouldn't start, which was workin when I installed is last time, but that is separate issue.
      Keep up the good work malikyounas!

      1. xerunetworks

        Thanks for the update, it will really help a lot. This post is based on forums either on GNS3 or 7200emu.hacki.at/viewtopic.php?t=9074 and posted just to write whatever worked me but seems to be helping others as well. I will actually add another section with troubleshooting steps that you guys suggested for various windows versions.

Leave a Reply to Que Cancel reply

%d bloggers like this: