Pages

Monday, 16 June 2014

Emulating a Cisco ASA Firewall in GNS3 and QEMU





Download and install GNS3 (http://www.gns3.net/download/) and QEMU (http://www.gns3.net/qemu/), it is important you properly install GNS3 and not just run the .exe from the download location. The suggested location on x64 Windows 8.1 would be C:\Program Files\GNS. In order for a Cisco ASA Firewall to work you must also extract and copy the QEMU files to a writable location (ideally C:\Program Files\GNS\QEMU) for consistency. 

Open GNS3, and click Edit and Preferences….


Click Qemu and remain on the General Settings tab. You must now point GNS3 to the correct locations for the QEMU engine, if you have installed GNS3 and QEMU as suggested above your interface settings should look like mine below. This directs GNS3 to C:\Program Files\GNS\QEMU to run the qemu.exe.

I have found if the QEMU paths are not set properly you will receive the following error when you try to launch an ASA instance:-
ASA1: lost communication with server 127.0.0.1:10525

Therefore the first thing to check would be that GNS3 is pointing to a qemu.exe that actually exists.



Click on the ASA tab, select ASA 8.4(2) from the PreConfiguration drop down, the Identifier Name should also be set to asa842, although you can get away with less RAM (512MB) it is my recommendation to give an ASA 8.4(2) at least 1GB, NIC's again are dependant on what you want to do with the ASA, 6 in this example. The NIC model e1000 is a fair standard model of vnic.
Qemu Options: -vnc :2 none -vga none -m 1024 -icount auto -hdachs 980,16,32 (:2 allows you to run two instances simultaneously, this number can be increased. If you only required 1 instance remove :2 completely).

Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
Click Save.
Now return to the GNS3 console and click the Cisco router icon from the left hand menu, the option to drag an ASA should now be possible, drag an ASA instance on to the canvise. Right click on the ASA instance and select Start, if the device has started successfully the light will highlight green in the botton right hand corner.

Now you may want to interface this virtual firewall with other VM's running on your computer or on your network, this can be done using a number of built in GNS3 components and Virtual Box. In GNS3 create the topology as shown below, the switch is required as you cannot connect a firewall interface directly to the cloud in GNS3 for some reason.

Install Virtual Box on the device and assign a static IP to the Virtual Box Host-Only Network Adapter.


Now return to GNS3 and right click on the cloud object and select Configure, then click on Cx and from the Generic Ethernet NIO (Administrator or root access required) drop down select the host only adapter installed by Virtual Box. Click Add then the adapter should show in the list of network adapters. Click Apply and OK to continue.



Now open a console connection to the virtual ASA, and assign an IP address in the same subnet as the host only adapter to the interface of the ASA connected to the cloud (via the switch).

en
config t
int gi0
ip address 196.100.10.2 255.255.255.0
no shut
nameif mgmt


From the host device you should now be able to ping the virtual ASA, on IP 196.100.10.2/24, click [link] for a tutorial on configuring the ASA to allow ASDM access.

 Post Update 30/09/2014 - Creating a FLASH for Emulated Cisco ASA

When you try and TFTP an Operating System to the GNS3 ASA you receive the following error "%Error Copying TFTP://10.20.1.2/asdm-649.bin (Not Enough Space on Device)" this is because the emulated ASA does not get preconfigured with a FLASH disk.


You have to use the QEMU-IMG.exe to generate a FLASH file that can be associated with the ASA. To do this change directory to C:\Program Files\GNS3\QEMU and use the following command to generate a FLASH file;

qemu-img.exe create FLASH 512M

This creates a 512MB flash file in the C:\Program Files\GNS3\QEMU directory.


The next step is to copy the FLASH file into the current ASA saved directory.


Now if you reload the ASA and use the following command;

show flash

You will notice that the ASA now has 512MB's of available space to save operating system images.