«

»

Mar 05

ASA 8.4 with ASDM on GNS3 – Step by Step Guide

This post details the method to connect to Firewall in GNS3 using ASDM. You will establish ASDM session from your machine to GNS3 so we will be building connection/bridge between GNS3 and PC. Also because first you will have to copy ASDM via TFTP to Firewall so this connection is necessary.

1. Follow this guide about how to add a loopback adapter to Windows 7, Windows XP
Windows 7
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/259c7ef2-3770-4212-8fca-c58936979851

Windows XP
http://support.microsoft.com/kb/839013

2. Restart your PC

3. Follow this guide about how to configure ASA 8.4(2) for GNS3.

http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/

4. Start a new Porject in GNS3 and drag/drop a ASA (8.4) firewall to the topology

5. Drag/Drop Cloud Object from Panel on the Left to the topology and right click it. Select 'Configure'. Select 'C1' or whatever name of the object.

6. Now as per following diagram select the loopback adapter that you added in step 1.

7. Add the adapter as per following after selecting and press OK.

8. Drop an ethernet switch the topology. If you dont do this and try drawing a direct connection between Firewall and Cloud it will come up with error saying 'Devices does not support this type of NIO. Use an ETHSW to bridge the connection to the NIO Instead.

9. Connect both Cloud and Firewall to the Switch as following

10. Now start all devices in GNS and use following commands on the firewall to give it an IP.

ciscoasa# config t
ciscoasa(config)# int gi
ciscoasa(config)# int gigabitEthernet 0
ciscoasa(config-if)# ip address 10.10.10.1 255.255.255.0
ciscoasa(config-if)# nameif management
ciscoasa(config-if)# no shut

11. Now, go back to Windows 7 and open 'Network and Sharing Centre', Click on Change adapter settings and Change the IP Address of the Loopback adapater as following

12. You will have to turn off your PC firewall as you will be copying ASDM to ASA firewall. If you dont know this, stop studying networking or stop the Windows Firewall Service or if that doesnt work then Base Filtering Service.

13. Now you PC is ready to talk to firewall, lets try.

ciscoasa# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/20 ms
ciscoasa#

14. OK, Now the next step is to copy ASDM to Firewall. If you already have TFTP Server installed, cool otherwise Download and start this TFTP Application from following website

http://tftpd32.jounin.net/tftpd32_download.html

15. Download ASDM from Cisco website or any other dodgy source you have. I have ASDM 6.4(7) downloaed.

16. On the TFTP application browse to the folder where you have downloaded ASDM.

17. On the firewall use following command to download TFTP Image.

ciscoasa# copy tftp flash
Address or name of remote host []? 10.10.10.2
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
Accessing tftp://10.10.10.2/asdm-647.bin…!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
———–Output Omited—————–
Writing current ASDM file disk0:/asdm-647.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
———–Output Omited—————–
17902288 bytes copied in 56.500 secs (319683 bytes/sec)
ciscoasa#

18. Set the Firewall to Load the ASDM at next reboot and also identify the management Station IP address

ciscoasa# sh flash
–#–  –length–  —–date/time——  path
2  4096        Mar 05 2012 13:40:42  log
9  4096        Mar 05 2012 13:40:47  coredumpinfo
10  59          Mar 05 2012 13:40:47  coredumpinfo/coredump.cfg
11  196         Mar 05 2012 13:40:47  upgrade_startup_errors_201203051340.log
12  17902288    Mar 05 2012 14:00:48  asdm-647.bin

268136448 bytes total (250191872 bytes free)
ciscoasa# config t
ciscoasa(config)# asdm image flash:asdm-647.bin
ciscoasa(config)# http server enable
ciscoasa(config)# http 10.10.10.2 255.255.255.255 management
ciscoasa(config)# username cisco password cisco privilege 15

19.  use 'wr' command and then reload the firewall using 'reload' command

20. Launch your browser and go to https://10.10.10.1 (Disable Proxy if you are using any)

21. Download and Install ASDM App from website you browsed to.

22. Launch the ASDM and here you go

 
You can follow the post below if you want to connect two GNS3 on two different PCs together or to connect an external device on physcial network to the GNS3 network.
 
You can use follwoing Lab guide for NAT migration from pre ASA 8.2 to 8.4
 

150 comments

11 pings

Skip to comment form

  1. Malik

    tried with hub but still the same no response 🙁

  2. Pawlos

    POl

    When I disable my firewall the ping works;
    Try it

  3. elohquiel

    to everyone having trouble getting PING replies back, there is a bug that’s preventing GNS3’s Ethernet switch from passing the frames along (at least on GNS 0.8.4-RC3)

    you can test this out by adding a router to the topology as well. have the route connect directly to the cloud (loopback adapter) and setup the ip address 10.10.10.1. if that router can ping your loopback address (10.10.10.2), then you know something in between is messed up. connect the router to the Ethernet Switch’s port 2 and have the cloud (loopback) connect to the ethernet switch’s port 1. try to ping again (you’ll fail).

    !!! SOLUTION !!!

    Use the Ethernet Hub instead (it passes the frames along).
    ASA1# ping 10.10.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
    !!!!!

  4. Malik

    Followed all above mentioned procedure and steps. But ASA is not pinging MS loopback and vice versa. Any help. When I install a router between cloud and ASA instead of ethernet switch I can ping from ASA to MS loopback. I also copied the asdm file through tftp but I can not access asdm through web. Your help will be really highly appreciated.

    1. gary

      Malik Sasay

  5. krish

    ciscoasa# ping 10.10.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
    ???????

    1. Jake

      You can try to connect your cloud to your physical NIc port. Assign the ASA interface to your NIC port. try to ping your ip address using other laptop

    2. RIcardo

      I was having the same problem as you, in linux i do not have problems but in windows 7 hell yeah, i deactivated my avg firewall after that i remember that I was sharing my connection to the loopback so a quit sharing after that i was able to communicate but i was expecting to communicate with the exteriror so i remembered that the antivirus creates a socket, protocol or filter in the loopback and the real interfaces so I uncheck the antivirus in the properties box of the interfaces i left on VMware stuff and turn off firewall/antivirus and everything it’s working like a charm.

      Hope this will help you.

  6. Abhishek Arora

    Hi Can you please explain how to go about saving the ASA configuration file. there are few methods available on the internet but i would really appreciate if you can provide the one which has worked

  7. Phi

    Netbee,

    On step 21 did you install the ASDM? If you did try running ASDM instead. I also had problems installing the ASDM, it might be a compatibility problem between the JAVA and ASDM version.

    Phi

    1. netbee

      Hi, Thanks for reply. I got it working.

      1. Malik

        Firewall > EthernetSwitch>MS loop back does not response or work but Firewall> Router > MS Loopback does work and I’m also to able to run ASDM. But tried all steps but firewall does not response when I connect Firewall through Ethernet Switch.

        1. Phi

          Hi Malik

          It’s been awhile working with GNS but I’ll see what I can do.
          So first of all is everything working with the router set up? As for the switch set up, you cannot ping ASA or copy the ASDM? If the configurations were the same on the ASA firewall when you got it working with the router, than try the following:

          -if you haven’t already, disable PC firewall and check (leave it disable for now just in case it is a problem)
          -double check if you are using the Ethernet switch and not one of the other 3 switches in GNS
          -usually not the problem, but check and make sure the ASA is not seeing the inside network as outside
          -try the set up again in a new GNS file

          If its still not working, just give me more details on the problem, such as are you using the same ASA model and the exact set up as above, what OS the PC is using, what works and doesn’t work, etc.

  8. Netbee

    Thanks for putting this up. As very helpfull. I got almost every thing setup, I can ping PC from ASA and vice verse. Can install asdm launcher as well but my ASDM launcher will not connect to asa. It’s stuck in phase that connecting device please wait and doesn’t go any further.

    I am running windows 7 64 bit OS. Tried disabling windows firewall etc but didn’t made any difference.

  9. Khanh Phạm

    ciscoasa# ping 10.10.10.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
    ???????

    1. Thood Villalobos

      REMEMBER RESET YOUR pc.

1 5 6 7 8 9 12

%d bloggers like this: