«

»

Mar 05

ASA 8.4 with ASDM on GNS3 – Step by Step Guide

This post details the method to connect to Firewall in GNS3 using ASDM. You will establish ASDM session from your machine to GNS3 so we will be building connection/bridge between GNS3 and PC. Also because first you will have to copy ASDM via TFTP to Firewall so this connection is necessary.

1. Follow this guide about how to add a loopback adapter to Windows 7, Windows XP
Windows 7
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/259c7ef2-3770-4212-8fca-c58936979851

Windows XP
http://support.microsoft.com/kb/839013

2. Restart your PC

3. Follow this guide about how to configure ASA 8.4(2) for GNS3.

http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/

4. Start a new Porject in GNS3 and drag/drop a ASA (8.4) firewall to the topology

5. Drag/Drop Cloud Object from Panel on the Left to the topology and right click it. Select 'Configure'. Select 'C1' or whatever name of the object.

6. Now as per following diagram select the loopback adapter that you added in step 1.

7. Add the adapter as per following after selecting and press OK.

8. Drop an ethernet switch the topology. If you dont do this and try drawing a direct connection between Firewall and Cloud it will come up with error saying 'Devices does not support this type of NIO. Use an ETHSW to bridge the connection to the NIO Instead.

9. Connect both Cloud and Firewall to the Switch as following

10. Now start all devices in GNS and use following commands on the firewall to give it an IP.

ciscoasa# config t
ciscoasa(config)# int gi
ciscoasa(config)# int gigabitEthernet 0
ciscoasa(config-if)# ip address 10.10.10.1 255.255.255.0
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# no shut

11. Now, go back to Windows 7 and open 'Network and Sharing Centre', Click on Change adapter settings and Change the IP Address of the Loopback adapater as following

12. You will have to turn off your PC firewall as you will be copying ASDM to ASA firewall. If you dont know this, stop studying networking or stop the Windows Firewall Service or if that doesnt work then Base Filtering Service.

13. Now you PC is ready to talk to firewall, lets try.

ciscoasa# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms
ciscoasa#

14. OK, Now the next step is to copy ASDM to Firewall. If you already have TFTP Server installed, cool otherwise Download and start this TFTP Application from following website

http://tftpd32.jounin.net/tftpd32_download.html

15. Download ASDM from Cisco website or any other dodgy source you have. I have ASDM 6.4(7) downloaed.

16. On the TFTP application browse to the folder where you have downloaded ASDM.

17. On the firewall use following command to download TFTP Image.

ciscoasa# copy tftp flash
Address or name of remote host []? 10.10.10.2
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
Accessing tftp://10.10.10.2/asdm-647.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
———–Output Omited—————–
Writing current ASDM file disk0:/asdm-647.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
———–Output Omited—————–
17902288 bytes copied in 56.500 secs (319683 bytes/sec)
ciscoasa#

18. Set the Firewall to Load the ASDM at next reboot and also identify the management Station IP address

ciscoasa# sh flash
–#–  –length–  —–date/time——  path
2  4096        Mar 05 2012 13:40:42  log
9  4096        Mar 05 2012 13:40:47  coredumpinfo
10  59          Mar 05 2012 13:40:47  coredumpinfo/coredump.cfg
11  196         Mar 05 2012 13:40:47  upgrade_startup_errors_201203051340.log
12  17902288    Mar 05 2012 14:00:48  asdm-647.bin

268136448 bytes total (250191872 bytes free)
ciscoasa# config t
ciscoasa(config)# asdm image flash:asdm-647.bin
ciscoasa(config)# http server enable
ciscoasa(config)# http 10.10.10.2 255.255.255.255 management
ciscoasa(config)# username cisco password cisco privilege 15

19.  use 'wr' command and then reload the firewall using 'reload' command

20. Launch your browser and go to https://10.10.10.1 (Disable Proxy if you are using any)

21. Download and Install ASDM App from website you browsed to.

22. Launch the ASDM and here you go

 
You can follow the post below if you want to connect two GNS3 on two different PCs together or to connect an external device on physcial network to the GNS3 network.
 
You can use follwoing Lab guide for NAT migration from pre ASA 8.2 to 8.4
 

150 comments

11 pings

Skip to comment form

  1. Khanh Phạm

    I’ve followed the instructions above,
    But I do not ping the IP address 10.10.10.2.
    Who can explain why I do not ping it?
    thanks, replied the mailbox: khanhphv@yahoo.com

    1. Phi

      Try disabling firewall or allow GNS3? or qemu through firewall if using windows

  2. Marcel

    Hi Phi,

    The global service policy did the trick.
    I did implement something similar but not similar enough 🙂
    With your example it works like a charm, thanks!

    Kind regards,

    Marcel

  3. rajabu

    based on default allow route, ASA can allow other traffic but not ping, you have to manually allow ping using access-lists for example.

  4. nirmal

    Hi all
    i really need help on this, i did exactly as it mentioned on this article and i have been trying get it work from last couple of days but no luck yet..

    here is my scenario ..

    ASA(10.0.0.1) —> Ethernet switch —> cloud

    i have configured cloud with msloopback and i can ping ASA vice versa, On asa i did also configured “http server en, http 10.0.0.0 255.255.255.0 inside ” and up loaded asdm-647.bin to flash, then issued “asdm image flash:// asdm-647.bin command. after all this, i still get error when i try to access asdm via explorer (http://10.0.0.1) “””” internet explorer can not display the webpage “”””””

    here is the all images and os i used

    Win 7 (64bit)
    gns3 all in one (8.3.1)

    asa842-initrd

    asa842-vmlinuz

    asdm-647.bin

    ineternet explo- v8 (also tried with v6)

    java version 6

    I shall be grateful if any of you can help me ..

    thanks

    1. Phi

      Hi nirmal,

      Did you ever get ASDM to work? Try https, it’s probably going to work.

      If not,
      -check if you can ping the ASA gateway (10.0.0.1), if you can’t and everything is set right on the ASA, you might have to add a route on Windows to the 10.0.0.0/24 network.
      Go to command prompt:
      “route -p add 10.0.0.0 mask 255.255.255.0 10.0.0.1”

      -Unless it’s just a typo in the comment this is the asdm image command “asdm image flash:/asdm-647.bin”
      -Clear the cache on your browser and in command prompt type “ipconfig /flushdns” and try it again
      -Disable windows firewall, usually you don’t have to but this one always catches me off guard

      Let me know how it goes.
      Regards,

      Phi

      1. nirmal

        phi
        yes it was solved and was really silly mistake, didn’t realize enabling http on asa is actually enables https unlike on routers.
        thanks
        nirmal

  5. james

    Thanks, brilliant stuff. without your help it was impossible.

  6. Marcel

    Hi,

    Thanks for a great guide!
    I have a strange problem. All the steps work for me and I can use ASDM to manage the ASA and create rules ald all seems well.
    But the ASA is not passing any traffic.
    The diagram is as follows:

    R1 ——- ASA ——- R2

    R1 can ping the ASA, R2 can ping the ASA.
    The ASA has rules to allow ip any any on both interfaces (and also icmp any any) but R2 can’t ping R1 or the other way around. They both have the ASA as default gateway.
    With my physical ASA 5505 and similar rules I can get this to work.

    Any ideas what this can be?

    Kind regards,

    Marcel

    1. Phi

      Marcel,

      -The ASA cannot route any packets.
      -A router must be used behind the ASA to achieve routing between the existing network and the newly added network.

      Source:
      http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b7c939.shtml

      1. Phi

        Forget my first reply, I never understood what it meant when it says “ASA cannot route any packets”, but I just tried your set up and got it to work. In global config type “same permit inter-interface” assuming that you configured both interfaces with the same security-level, this command allows traffic through interfaces with the same security level.

        1. Marcel

          Hi,

          I am using same security inter-interface and intra-interface.
          No joy.
          A physical ASA with identical settings does pass the traffic.
          I have read a post that the order of starting the equipment in GNS3 can sometimes help, maybe that is the issue I’m facing?

          Kind regards,

          Marcel

          1. Phi

            Marcel,

            Oh your setup was with routers (R1/R2), for some reason I was thinking host PC’s. Okay so I tried the setup again with routers this time, and it’s the same configurations on the ASA:

            ASA:
            interface GigabitEthernet1
            nameif inside
            security-level 25
            ip address 172.16.1.1 255.255.255.0

            interface GigabitEthernet2
            nameif inside2
            security-level 25
            ip address 172.16.2.1 255.255.255.0

            same-security-traffic permit inter-interface

            #Configure R1 and R2 to have a route to each other.

            R1:
            ip route 172.16.2.0 255.255.255.0 FastEthernet0/0 172.16.1.1
            R2:
            ip route 172.16.1.0 255.255.255.0 FastEthernet0/0 172.16.2.1

            #or static default route on both

            #If you are configuring different security levels between the two interfaces, you have to configure either #inspection (one way, higher to lower security) or an ACL that allows both inbound and outbound traffic #(higher to lower, lower to higher security).

            ACL:
            access-list IN/OUT extended permit ip any any
            access-group IN/OUT global

            Inspection:
            class-map inspection_default
            match default-inspection-traffic

            policy-map global_policy
            class inspection_default
            inspect icmp

            service-policy global_policy global

            Good Luck,

            Phi

  7. Mohamed

    Very good post, thank you very much for this wonderful effort

  8. vishi

    pls help i have config it csmars
    does migration tools work with gns3 installed pix and asa
    asa unable to mount disk0

  9. vishi

    i have installed GNS3 0.8.4
    OS
    uname -a : Linux cisco-iou 3.2.0-39-generic #62-Ubuntu SMP Thu Feb 28 00:28:53 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

    when i start ASA continuous it reboot

1 4 5 6 7 8 12

Leave a Reply

%d bloggers like this: