«

»

Mar 05

ASA 8.4 with ASDM on GNS3 – Step by Step Guide

This post details the method to connect to Firewall in GNS3 using ASDM. You will establish ASDM session from your machine to GNS3 so we will be building connection/bridge between GNS3 and PC. Also because first you will have to copy ASDM via TFTP to Firewall so this connection is necessary.

1. Follow this guide about how to add a loopback adapter to Windows 7, Windows XP
Windows 7
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/259c7ef2-3770-4212-8fca-c58936979851

Windows XP
http://support.microsoft.com/kb/839013

2. Restart your PC

3. Follow this guide about how to configure ASA 8.4(2) for GNS3.

http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/

4. Start a new Porject in GNS3 and drag/drop a ASA (8.4) firewall to the topology

5. Drag/Drop Cloud Object from Panel on the Left to the topology and right click it. Select 'Configure'. Select 'C1' or whatever name of the object.

6. Now as per following diagram select the loopback adapter that you added in step 1.

7. Add the adapter as per following after selecting and press OK.

8. Drop an ethernet switch the topology. If you dont do this and try drawing a direct connection between Firewall and Cloud it will come up with error saying 'Devices does not support this type of NIO. Use an ETHSW to bridge the connection to the NIO Instead.

9. Connect both Cloud and Firewall to the Switch as following

10. Now start all devices in GNS and use following commands on the firewall to give it an IP.

ciscoasa# config t
ciscoasa(config)# int gi
ciscoasa(config)# int gigabitEthernet 0
ciscoasa(config-if)# ip address 10.10.10.1 255.255.255.0
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# no shut

11. Now, go back to Windows 7 and open 'Network and Sharing Centre', Click on Change adapter settings and Change the IP Address of the Loopback adapater as following

12. You will have to turn off your PC firewall as you will be copying ASDM to ASA firewall. If you dont know this, stop studying networking or stop the Windows Firewall Service or if that doesnt work then Base Filtering Service.

13. Now you PC is ready to talk to firewall, lets try.

ciscoasa# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms
ciscoasa#

14. OK, Now the next step is to copy ASDM to Firewall. If you already have TFTP Server installed, cool otherwise Download and start this TFTP Application from following website

http://tftpd32.jounin.net/tftpd32_download.html

15. Download ASDM from Cisco website or any other dodgy source you have. I have ASDM 6.4(7) downloaed.

16. On the TFTP application browse to the folder where you have downloaded ASDM.

17. On the firewall use following command to download TFTP Image.

ciscoasa# copy tftp flash
Address or name of remote host []? 10.10.10.2
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
Accessing tftp://10.10.10.2/asdm-647.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
———–Output Omited—————–
Writing current ASDM file disk0:/asdm-647.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
———–Output Omited—————–
17902288 bytes copied in 56.500 secs (319683 bytes/sec)
ciscoasa#

18. Set the Firewall to Load the ASDM at next reboot and also identify the management Station IP address

ciscoasa# sh flash
–#–  –length–  —–date/time——  path
2  4096        Mar 05 2012 13:40:42  log
9  4096        Mar 05 2012 13:40:47  coredumpinfo
10  59          Mar 05 2012 13:40:47  coredumpinfo/coredump.cfg
11  196         Mar 05 2012 13:40:47  upgrade_startup_errors_201203051340.log
12  17902288    Mar 05 2012 14:00:48  asdm-647.bin

268136448 bytes total (250191872 bytes free)
ciscoasa# config t
ciscoasa(config)# asdm image flash:asdm-647.bin
ciscoasa(config)# http server enable
ciscoasa(config)# http 10.10.10.2 255.255.255.255 management
ciscoasa(config)# username cisco password cisco privilege 15

19.  use 'wr' command and then reload the firewall using 'reload' command

20. Launch your browser and go to https://10.10.10.1 (Disable Proxy if you are using any)

21. Download and Install ASDM App from website you browsed to.

22. Launch the ASDM and here you go

 
You can follow the post below if you want to connect two GNS3 on two different PCs together or to connect an external device on physcial network to the GNS3 network.
 
You can use follwoing Lab guide for NAT migration from pre ASA 8.2 to 8.4
 

150 comments

11 pings

Skip to comment form

  1. Learner

    I am newbie to GNS3 and have setup an ASA lab. I am unable to ping any of the ASA and Router interface from PC with loopback adapter. I have disabled firewall on my PC, but still no rescue. Please help me on how to access ASA and Router from PC.

    My configuration is as follows. I have tried to apply access-list 101 in all the manner to ASA, but no help.

    PC loopback IP address: 10.10.10.2
    Netmask: 255.255.255.0

    ———————————————-
    ASA configuration is as follows.

    ASA(config)# show run
    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname ASA
    enable password **************** encrypted
    names
    !
    interface Ethernet0/0
    nameif Inside
    security-level 100
    ip address 10.10.10.1 255.255.255.0
    !
    interface Ethernet0/1
    nameif Outside
    security-level 0
    ip address 192.168.1.1 255.255.255.0
    !
    passwd **************** encrypted
    boot config disk0:/.private/startup-config
    ftp mode passive
    access-list 101 extended permit icmp any any echo
    access-list 101 extended permit icmp any any echo-reply
    pager lines 24
    mtu Inside 1500
    mtu Outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    static (Inside,Outside) 192.168.1.0 10.10.10.0 netmask 255.255.255.0
    access-group 101 in interface Inside
    access-group 101 out interface Inside
    access-group 101 in interface Outside
    access-group 101 out interface Outside
    !
    router rip
    network 10.0.0.0
    network 192.168.1.0
    default-information originate
    version 2
    no auto-summary
    !
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    !
    prompt hostname context
    Cryptochecksum:*******************************
    : end

    ASA(config)# show rip database

    0.0.0.0 0.0.0.0 auto-summary
    0.0.0.0 0.0.0.0 redistributed
    [0] via 0.0.0.0,
    10.0.0.0 255.0.0.0 auto-summary
    10.10.10.0 255.255.255.0 directly connected, Ethernet0/0
    192.168.1.0 255.255.255.0 auto-summary
    192.168.1.0 255.255.255.0 directly connected, Ethernet0/1

    ———————————————-
    Router configuration is as follows.

    Router# show run
    Building configuration…

    Current configuration : 900 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    memory-size iomem 5
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    ip domain name lab.local
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 192.168.1.2 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    router rip
    version 2
    network 192.168.1.0
    default-information originate
    no auto-summary
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    login
    !
    !
    end

    Router#show ip rip database
    0.0.0.0/0 auto-summary
    0.0.0.0/0
    [1] via 192.168.1.1, 00:01:40, FastEthernet0/0
    10.0.0.0/8 auto-summary
    10.10.10.0/24
    [1] via 192.168.1.1, 00:01:40, FastEthernet0/0
    192.168.1.0/24 auto-summary
    192.168.1.0/24 directly connected, FastEthernet0/0

  2. krish

    I am stuck at step 12. Not able to ping the firewall from PC.
    I have disabled windows firewall. Disabled kaspersky. Tried Base Filtering Service.
    I have GNS3 virtual box edition..PC OS:windows 7

    ciscoasa(config)# ping 10.10.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
    ?????
    Success rate is 0 percent (0/5)

    Please help me out..

  3. krish

    i properly did 1 to 11 steps u mentioned above. but when i try to ping 10.10.10.2 in ASA it’s not pinging.
    i checked firewall status, and base filter status.

  4. javalogicuser

    ASAD, that just means that since the ASA is powered on and the interface is up, you won’t be able to add any links to the device. Stop your ASA and try to add the link again.

  5. Ciscoloon

    https://supportforums.cisco.com/docs/DOC-15016

  6. Herlander

    I’d like to have someone give me an answer to my question. I’m reading lot of comments people saying that they were able to make asa 8.4 work in windows 7 64 bit, but I’m the same error message “lina_bigphysarea_size: open /proc/bigphysarea failed, error 2
    ” I’ve tried in 3 different PC running windows 7 64 bit none were successful. But I tried once in a PC with windows XP Pro and works with no problem.

  7. ASAD

    i have just installed ASA in gns properly but when i connect the ASA to switch interface it gives me the Dynamips error ” qemuwrapper doesn’t support hot link add ”
    could any one tell me about the problem.
    .
    thanks

    1. Mr.T

      Turn off your ASA, add the link and torn it on again.

  8. Iam

    Thanks a lot… and Windows firewall was causing the ping error from ASA to cloud (PC)… works great… hope it doesn’t crash…!!!

  9. syed

    ah,….took two days then finally QEMU CRASH: AHH
    QEMU keeps crashing when launch asdam help????

1 3 4 5 6 7 12

Leave a Reply

%d bloggers like this: