Monday , May 21 2018
Home / Information Security / How to emulate CISCO ASA 8.4 firewall with GNS3 1.x
gns-asa2

How to emulate CISCO ASA 8.4 firewall with GNS3 1.x

Print Friendly

In this blog post, I will demonstrate how to emulate CISCO ASA 8.4 firewall with GNS3 1.x and QEMU Emulator.
In this procedure, I’ll be using following Binary IOS images:

->    asa842-k8.bin
->    asdm-645-206.bin

Get the required IOS Binary Images:

You may copy these from CISCO hardware ASA device using following commands:

# enable
# copy flash: tftp:
> provide file to send to TFTP Server
> provide tftp server’s ip here
> just press enter to copy with same name.

– Use same procedure for both Binary images.
Else, you may download from CISCO website using registered authorized account.

Unpack the IOS Images:

To use these Binary images with GNS3, we need to Unpack ASA IOS binary image “asa842-k8.bin”, I’ll use a script developed by a user “dmz” from 7200emu.hacki forum. You can download script from link given below:
Download repack.v4.sh

– Copy downloaded Script “repack.v4.sh.gz” and “asa842-k8.bin”  binary IOS image to linux instance. I’ll be using CentOS 7.

– I have placed both files in /usr/local/src directory.

# cd /usr/local/src
# gunzip repack.v4.sh.gz
# chmod +x repack.v4.sh

asa-1

Keep in mind, the script as well as IOS binary image must be in SAME DIRECTORY…!
# ./repack.v4.sh asa842-k8.bin
– Now let it finish. It will generate following shown files:

asa842-vmlinuz – extracted kernel
asa842-initrd-original.gz – original extracted initrd
asa842-initrd.gz – patched initrd

– Among these, we need

asa842-vmlinuz – extracted kernel
asa842-initrd.gz – patched initrd

asa-2

– copy these two files to GNS3 Images Directory.

NOTE:  If facing Error:

# ./repack.v4.sh asa842-k8.bin
Repack script version: 4
which: no xxd in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
which: no mkisofs in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
ERROR: xxd command not found

Solution:      Install ‘vim’ or ‘vim-enhanced’ package to get it
     # yum install vim -y

Configure GNS3 to use ASA Firewall in topologies:

– Goto:

Edit   >   Preferences

asa-3

– On Preferences window, click:
“QEMU VMs”   >   “New”
Add:
– Name:     Any Name for ASA device, I’ll give “ASA1”
– Select “ASA 8.4(2)” from Drop Down Menu.

asa-4

Next:
– Assign RAM for ASA Device.

asa-5

Next:
– Browse “asa842-initrd.gz” file for “Initial RAM disk” option.
– Browse “asa842-vmlinuz” file for “Kernel Image” option.

asa-7

Finish.

– Create new topology, Drag ASA1 Icon to work space and make some topology, I’ll create topology for two ASA firewalls with on VirtualBox XP VM connected via Ethernet switch as shown below:

asa-8

Add ASDM image to ASAs in topology:

– Start first ASA device.
– console it
– Assign IP to ASA interface of same network as of XP VMBox Instance, in my scenario, it is 10.0.0.0/24 network.

> enable
– just press enter when asked for “Password”, as there’s not set any.
# configure terminal
# show int ip brief                //show present interfaces.
# interface g0                    //I’ve connect g0 interface with switch.
# no shutdown
# ip address 10.0.0.1 255.255.255.0            //assign IP to g0 interface
# nameif inside                                //Assign this interface to “Inside” network of firewall.
– Start TFTP Server on XP VMBox instance. I’m using TFTP64.exe file, it is free and awesome. Start it, copy “asdm-645-206.bin” file to Root of TFTP Server, path must be shown on its screen.
– Copy ASDM into ASA firewall in GNS3:
# ping 10.0.0.5                        //ping and confirm access to TFTP Server XP instance from ASA firewall.
# copy tftp: flash:
> provide tftp server ip, 10.0.0.5
> give file name to copy, asdm-645-206.bin
> just press enter to save with same filename.
– it will start copy.
– Enable HTTPS server on ASA firewall to be accessed from Inside Network:
# configure terminal
# http server enable                //Enable HTTP/S server.
# http 0 0 inside                    //Allow HTTP/S access from any host from Inside network interface.
– Access ASDM from XP VMBox instance.
https://10.0.0.1
– Just select “OK” when asked for user credentials, as we’ve not configured any user on ASA yet.

asa-6

– Done,

About Muhammad Attique