{"id":478,"date":"2017-07-01T16:53:00","date_gmt":"2017-07-01T16:53:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=478"},"modified":"2024-11-17T17:07:47","modified_gmt":"2024-11-17T17:07:47","slug":"478","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/478\/","title":{"rendered":"Deploying the ASAv using GNS3 and Integrating it with the Physical Network"},"content":{"rendered":"

GNS3 has been around for a while and is a fantastic tool to virtually create labs and test out Cisco technology, as it has evolved GNS3 has become better at providing support for many new devices. In older versions of GNS3 \u2013 running an ASA was very CPU intensive as the image used was initially something taken from a physical device, this caused multiple problems and the results always varied. Running multiple instance was also a problem unless the VM you were running GNS on, was a beast.<\/p>\n

As Cisco released the virtual version of the ASA (ASAv) its compatibility became limitless and the GNS team were able to integrate the support of this device which works brilliantly.<\/p>\n

Currently the ASAv is available to deploy using VMware ESXI, Hyper V and as a Qemu image.<\/p>\n

In this step by step guide, we will deploy a Cisco ASAv in GNS3. We will walk through the process of getting it working correctly within the GNS3 environment. We will configure the device with basic management capability and install ASDM on a PC to be able to access and manage the device. We will then take it a step further and integrate it to the physical network.<\/p>\n

The topology below has been setup using GNS3, the PC is a Windows VM running in VMware workstation \u2013 the VMnet(5) is assigned to the\u00a0\u201c192.168.5.0\/24\u201d\u00a0network. Inside GNS3 the\u00a0\u201cGig0\/0\u201d interface of the ASAv will be connected to a Cloud bridged to the same VMnet(5) so that they are on the same broadcast domain. The internet represents the physical network which then routes out to the real internet, this will also be bridged but to the logical adaptor of the GNS3 VM and then bridged again to the physical adaptor of the host.<\/p>\n

<\/p>\n

 <\/p>\n

GNS3 is running version\u00a0\u201c2.0.2\u201d\u00a0of both the application and VM, which is the latest version at this time.<\/p>\n

<\/p>\n

Lets begin\u2026<\/p>\n

Import and Prepare the ASAv<\/strong><\/p>\n

Step 1:<\/strong>\u00a0From the Cisco website download the Qemu image for the ASAv, this will be the following file:\u00a0\u201casav971-1.qcow2\u201d<\/p>\n

https:\/\/software.cisco.com\/download\/release.html?mdfid=286119613&flowid=&softwareid=280775065&release=9.7.1&relind=AVAILABLE&rellifecycle=&reltype=latest<\/a><\/p>\n

You will need a service contract to download the file.<\/p>\n

<\/p>\n

<\/p>\n

Step 2:<\/strong>\u00a0Navigate to\u00a0https:\/\/www.gns3.com\/marketplace\/appliances<\/a>, search for\u00a0\u201cASAv\u201d\u00a0and<\/p>\n

download the ASAv template for GNS3.<\/p>\n

<\/p>\n

<\/p>\n

<\/p>\n

Step 3:<\/strong>\u00a0From GNS3 click\u00a0\u201cFile-Import appliance\u201d<\/p>\n

<\/p>\n

Step 4:<\/strong>\u00a0Navigate to the previously downloaded file and click\u00a0\u201cOpen\u201d<\/p>\n

<\/p>\n

Step 5:<\/strong>\u00a0At the Wizard verify the correct appliance is listed with the following details as shown below, click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 6:<\/strong>\u00a0The only options for running the appliance will be on the GNS3 VM, click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 7:<\/strong>\u00a0Once the requirements have been checked click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 8:<\/strong>\u00a0GNS3 will automatically look for the Qemu image file and inform you if it is present, as this file is already in the same folder as the appliance this shouldn\u2019t be a problem. Ignore the additional status for\u00a0\u201cmissing files\u201d\u00a0this is informing that the other versions listed for the ASAv are not present. Click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 9:<\/strong>\u00a0At the prompt to install the Cisco ASAv click\u00a0\u201cYes\u201d<\/p>\n

<\/p>\n

GNS3 will upload the Qemu file to the VM and install the ASAv<\/p>\n

<\/p>\n

Step 10:<\/strong>\u00a0At the Qemu binary page, leave the default and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 11:<\/strong>\u00a0At the summary page click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 12:<\/strong>\u00a0The wizard will display the following information \u2013\u00a0\u201cThere is no default password and enable password\u201d. Also note that the device will boot twice as part of the sequence, which is normal and expected. Click\u00a0\u201cFinish\u201d\u00a0to close the wizard<\/p>\n

<\/p>\n

Step 13:<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0to close the notification<\/p>\n

<\/p>\n

The ASAv should now be displayed in the left hand pane as a usable device.<\/p>\n

<\/p>\n

Step 14:<\/strong>\u00a0Now that the device has been imported, we will need to configure a few additional steps to allow the device to work with our environment. By default, the serial port on the ASAv appliance is disabled, we will need to enable this to be able to use a terminal application software like putty.<\/p>\n

Click\u00a0\u201cEdit-Preferences\u201d<\/p>\n

<\/p>\n

Step 15:<\/strong>\u00a0Navigate to\u00a0\u201cQemu VMs\u201d, select the ASAv and click\u00a0\u201cEdit\u201d<\/p>\n

<\/p>\n

Step 16:<\/strong>\u00a0Click on the\u00a0\u201cAdvanced Settings\u201d\u00a0tab and untick\u00a0\u201cUse as a linked base VM\u201d. (this will be switched back on later) This will allow us to create a working base template to our preference and then save it as a master so that every time we bring out an ASAv into our project it will inherit the settings of the master.<\/p>\n

<\/p>\n

Step 17:<\/strong>\u00a0Click\u00a0\u201cGeneral Settings\u201d\u00a0and select\u00a0\u201cVNC\u201d\u00a0as the console type. (this will be switched back to telnet later) Click\u00a0\u201cOK\u201d\u00a0to save the changes and close the window.<\/p>\n

<\/p>\n

Step 18:<\/strong>\u00a0On the GNS3 Workspace click and drag out the ASAv, right click the device and click\u00a0\u201cStart\u201d<\/p>\n

<\/p>\n

As the device fires up, it will launch using VNC, select the first option and let the device go through boot process.<\/p>\n

<\/p>\n

The device will power cycle two times as mentioned earlier.<\/p>\n

<\/p>\n

The device will now show the\u00a0\u201cciscoasa>\u201d\u00a0prompt, this indicates the ASAv is ready, Type\u00a0\u201cEnable\u201d\u00a0and hit enter, the device has no password set.<\/p>\n

<\/p>\n

Step 19:<\/strong>\u00a0Lets configure the device to use serial as its method of connection, to do this we need to create a file inside the flash called\u00a0\u201cuse_ttyS0\u201d\u00a0The easiest way to add this is to clone the existing \\coredumpinfo\\coredump.cfg file and rename it.<\/p>\n

#conf t<\/p>\n

#cd coredumpinfo<\/p>\n

#copy coredump.cfg disk0:\/use_ttyS0\u00a0\u2013 (S=Snooping, 0 = Zero)<\/p>\n

<\/p>\n

Step 20:<\/strong>\u00a0Verify the file has been created and exists in the file system.<\/p>\n

#dir disk0:\/<\/p>\n

As we can see below\u00a0\u201cuse_ttyS0\u201d\u00a0is present, now we need to reboot the ASAv \u2013<\/p>\n

#reload\u00a0(there is no need to save the config)<\/p>\n

<\/p>\n

Once the device reboots, it should halt at and display\u00a0\u201cLina to use serial port \/dev\/ttyS0 for console IO\u201d, indicating its transferred the interactive control to the serial port.<\/p>\n

<\/p>\n

Step 21:<\/strong>\u00a0It\u2019s now time to change the console from\u00a0\u201cVNC\u201d\u00a0back to\u00a0\u201cTelnet\u201d\u00a0and lock the ASAv so this becomes the master template. This way we don\u2019t have to re-configure the serial port each time we bring out a new ASAv.. Power off the ASAv by right clicking and selecting\u00a0\u201cStop\u201d.<\/p>\n

<\/p>\n

Step 22:<\/strong>\u00a0Delete the ASAv from the project by right clicking the device and selecting\u00a0\u201cDelete\u201d<\/p>\n

<\/p>\n

Step 23<\/strong>: \u00a0From GNS3, Click\u00a0\u201cEdit-Preferences\u201d<\/p>\n

<\/p>\n

Step 24:<\/strong>\u00a0Select\u00a0\u201cQemu VMs\u201d, select the ASAv and click\u00a0\u201cEdit\u201d<\/p>\n

<\/p>\n

Step 25:<\/strong>\u00a0From the\u00a0\u201cGeneral Settings\u201d\u00a0tab, under\u00a0\u201cConsole type\u201d\u00a0select\u00a0\u201ctelnet\u201d<\/p>\n

<\/p>\n

Step 26:<\/strong>\u00a0Click the\u00a0\u201cAdvanced\u201d\u00a0tab, and tick\u00a0\u201cUse as a linked base VM\u201d\u00a0and click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Step 27:<\/strong>\u00a0Create a new project, save it and drag out a new ASAv. Right click the device and select\u00a0\u201cStart\u201d<\/p>\n

<\/p>\n

Double click the device to bring up a console session, this should now open with Putty, (the screen may appear blank for up to 30 seconds, this is normal) once the device boots up the\u00a0\u201cciscoasa>\u201d\u00a0prompt will be displayed.<\/p>\n

As the device is not yet licensed it will keep prompting this \u2013 every few minutes, this is not a major issue as we can still use it in a lab environment to test out different features. The only restriction this device will have is on the throughput which is capped at 100Kbps, and up to 100 maximum connections.<\/p>\n

<\/p>\n

Step 28:<\/strong>\u00a0let\u2019s take a look at the spec and features of the device as it is and also without a valid licence \u2013<\/p>\n

#show version<\/p>\n

We can see the following from the output \u2013<\/p>\n

The ASA version is 9.7(1)<\/p>\n

The Firepower version is 2.1(1.66)<\/p>\n

The ASDM Version is 7.7(1)<\/p>\n

We can see the device spec in terms of hardware<\/p>\n

The device has 8 Gigabit Ports<\/p>\n

The platform is unlicensed is capable of using the following features:<\/p>\n

10 Total interfaces<\/p>\n

Maximum of 50 VLANs<\/p>\n

Unlimited Inside Hosts<\/p>\n

Active\/Standby Failover<\/p>\n

2 VPN Any connect<\/p>\n

250 VPN peers<\/p>\n

Botnet Traffic Filter<\/p>\n

<\/p>\n

Configure Basic Management Capability & install ASDM<\/strong><\/p>\n

Step 1:<\/strong>\u00a0in order to manage the ASAv using ASDM we would need to gain management access to the device, to do this we can either configure the\u00a0\u201cManagment0\/0\u201d\u00a0interface if we have a dedicated management VLAN (which could be bridged to a VMnet, if inside VMWare) or any other interface that will be assigned to the\u00a0\u201cInside Zone\u201d<\/p>\n

In this example we will use\u00a0\u201cGig0\/0\u201d\u00a0as this will be assigned to the\u00a0\u201cInside\u201d\u00a0zone.<\/p>\n

#enable<\/p>\n

#conf t<\/p>\n

#interface gig0\/0<\/p>\n

#ip address 192.168.5.254 255.255.255.0<\/p>\n

#no shut<\/p>\n

#nameif Inside<\/p>\n

#exit<\/p>\n

<\/p>\n

Step 2:<\/strong>\u00a0From the\u00a0\u201cPC\u201d\u00a0ping the interface\u00a0\u201cGig0\/0\u201d\u00a0interface<\/p>\n

<\/p>\n

Step 3:<\/strong>\u00a0Enable https access to the device to allow ASDM to connect to it from the\u00a0\u201cInside\u201d\u00a0zone<\/p>\n

#https server enable<\/p>\n

#http 192.168.5.0 255.255.255.0 Inside<\/p>\n

#wri me \u2013 save the changes<\/p>\n

<\/p>\n

Step 4:<\/strong>\u00a0from the\u00a0\u201cPC\u201d\u00a0Launch a browser and navigate to\u00a0https:\/\/192.168.5.254<\/a>, Click\u00a0\u201cContinue to this webpage (not recommended)\u201d. The device is using a self-signed certificate therefore the browser will not trust this.<\/p>\n

<\/p>\n

Step 5:<\/strong>\u00a0We should now be presented with the Cisco ASDM page, click\u00a0\u201cInstall ASDM Launcher\u201d\u00a0to download the asdm installer (a prerequisite for the ASDM launcher is to ensure you have the latest version of\u00a0\u201cJava Runtime Environment\u201d)<\/p>\n

<\/p>\n

Step 6:<\/strong>\u00a0Run the installer, At the Wizard Click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 7:<\/strong>\u00a0Leave the default installation directory and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 8:<\/strong>\u00a0Click\u00a0\u201cInstall\u201d<\/p>\n

<\/p>\n

Step 9:<\/strong>\u00a0At the UAC prompt click\u00a0\u201cYes\u201d<\/p>\n

<\/p>\n

The installation will begin.<\/p>\n

<\/p>\n

Step 10:<\/strong>\u00a0Click\u00a0\u201cFinish\u201d\u00a0to close the wizard<\/p>\n

<\/p>\n

Step 11:<\/strong>\u00a0ASDM should load automatically, if it doesn\u2019t \u2013 launch it from the start menu. Insert the IP of the ASAv\u2019s Inside interface and click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Step 12:<\/strong>\u00a0At the security warning, click\u00a0\u201cContinue\u201d<\/p>\n

<\/p>\n

ASDM will load<\/p>\n

<\/p>\n

ASAv Licence prompt will be displayed, click\u00a0\u201cOK\u201d\u00a0to close<\/p>\n

<\/p>\n

Step 13:<\/strong>\u00a0Once ASDM opens we should see the full GUI management interface as shown below.<\/p>\n

<\/p>\n

Integrate the ASAv to the physical network<\/strong><\/p>\n

Now that we have setup the ASAv with full management capability from both ASDM and the CLI, we can pretty much start configuring the firewall. As an additional step Lets configure the ASAv\u2019s outside interface and integrate it to our local LAN, which routes out to the internet. Remember we do not have NAT configured so the\u00a0\u201cPC\u201d\u00a0won\u2019t be able to get out, Ill cover NAT on a separate post, but as for the ASAv, we should be able to reach the physical network and the internet using its outside interface.<\/p>\n

There are several ways of integrating GNS3 devices into the physical network, we could use a loopback interface and bind it to a physical adaptor to share the internet connection or we could simply create additional NIC interfaces on our GNS3 VM and allocate those to\u00a0\u201cVMNets\u201d\u00a0within VMware \u2013 this method has been the most reliable in my opinion and connectivity is pretty solid without any drops in traffic. Whereas using the loopback can cause basic connectivity issues which can result in hours of troubleshooting.<\/p>\n

Step 1.<\/strong>\u00a0 Lets bind the physical adaptor of the host to the logical VMNet. Launch VMWare workstation and select\u00a0\u201cEdit\u201d\u00a0and\u00a0\u201cVirtual Network Editor\u201d<\/p>\n

<\/p>\n

Step 2:<\/strong>\u00a0as we can see from the list of networks,\u00a0\u201cVMNet0\u201d\u00a0isn\u2019t being displayed, this is usually the logical adaptor that binds to the physical adaptor, to view and edit this, click\u00a0\u201cChange Settings\u201d<\/p>\n

<\/p>\n

Step 3:<\/strong>\u00a0Click\u00a0\u201cYes\u201d\u00a0to Accept the UAC prompt<\/p>\n

<\/p>\n

Step 4:<\/strong>\u00a0Select\u00a0\u201cVMNet0\u201d\u00a0and allocate it to the physical adapter of your choice, this will be the adapter that connects to the physical network. In this case I have used the\u00a0\u201cWi-Fi\u201d\u00a0adapter. Click\u00a0\u201cOK\u201d<\/p>\n

<\/p>\n

Step 5:<\/strong>\u00a0Now we need to create a new NIC on the GNS3 VM and allocate it to\u00a0\u201cVMNet0\u201d, right click the\u00a0\u201cGNS3 VM\u201d\u00a0and select\u00a0\u201cSettings\u201d<\/p>\n

<\/p>\n

Step 6:<\/strong>\u00a0Under the\u00a0\u201cHardware\u201d\u00a0tab, click\u00a0\u201cAdd\u201d<\/p>\n

<\/p>\n

Step 7:<\/strong>\u00a0Click\u00a0\u201cYes\u201d\u00a0at the UAC prompt<\/p>\n

<\/p>\n

Step 8:<\/strong>\u00a0Select\u00a0\u201cNetwork Adapter\u201d\u00a0and click\u00a0\u201cNext\u201d<\/p>\n

<\/p>\n

Step 9:<\/strong>\u00a0Select\u00a0\u201cCustom: Specific virtual network\u201d\u00a0and select\u00a0\u201cVMNet0\u201d\u00a0from the list. Tick\u00a0\u201cConnect at power on\u201d\u00a0and click\u00a0\u201cFinish\u201d<\/p>\n

<\/p>\n

Step 10:<\/strong>\u00a0Click\u00a0\u201cOK\u201d\u00a0to close the window.<\/p>\n

<\/p>\n

Step 11:<\/strong>\u00a0GNS3 will need to be closed and re-opened for the changes to be visible, save the changes on the ASAv using\u00a0\u201cWrite Memory\u201d, save the project, close GNS3 and re-launch the application.<\/p>\n

Once the project has been re-opened and devices powered up, drag a new\u00a0\u201cCloud\u201d\u00a0from the left hand pane onto the workspace.<\/p>\n

<\/p>\n

Step 12:<\/strong>\u00a0At the prompt for where to run the\u00a0\u201cCloud\u201d\u00a0from, Select the\u00a0\u201cGNS3 VM\u201d<\/p>\n

<\/p>\n

Step 13:<\/strong>\u00a0Using the link tool connect the ASAv\u2019s\u00a0\u201cGig0\/1\u201d\u00a0interface to the\u00a0\u201cCloud\u201d\u00a0which is the newly created interface on the\u00a0\u201cGNS3 VM\u201d\u00a0in this case its\u00a0\u201cEth1\u201d\u00a0(Eth0 belongs to the GNS3 VM itself)<\/p>\n

<\/p>\n

<\/p>\n

Step 14:<\/strong>\u00a0On the ASAv configure the\u00a0\u201cOutside\u201d\u00a0interface<\/p>\n

#conf t<\/p>\n

#int gig0\/1<\/p>\n

#ip address 192.168.0.254 255.255.255.0<\/p>\n

#no shut<\/p>\n

#nameif Outside<\/p>\n

#exit<\/p>\n

<\/p>\n

Step 15:<\/strong>\u00a0From the host machine, (while connected to the physical network) test the\u00a0\u201cOutside\u201d\u00a0IP address of the ASAv is reachable. As we are connected to the physical network using\u00a0\u201cWi-Fi\u201d\u00a0we should be able to reach the IP as it\u2019s on the same broadcast domain.<\/p>\n

<\/p>\n

Step 16:<\/strong>\u00a0If we ping from the ASAv using the\u00a0\u201cOutside\u201d\u00a0interface we should be able to reach the real default gateway on the physical network.<\/p>\n

#ping outside 192.168.0.1<\/p>\n

<\/p>\n

Step 17:<\/strong>\u00a0At this moment if we try and ping out to the internet, we wouldn\u2019t be successful. And the reason for this is \u2013 we don\u2019t have a default gateway\/default route configured for the ASAv<\/p>\n

#ping Outside 8.8.8.8<\/p>\n

<\/p>\n

Step 18:<\/strong>\u00a0Lets give the ASAv a default route<\/p>\n

#route Outside 0.0.0.0 0.0.0.0 192.168.0.1<\/p>\n

<\/p>\n

Step 19:<\/strong>\u00a0We should now be able to ping 8.8.8.8 successfully<\/p>\n

#ping Outside 8.8.8.8<\/p>\n

<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

GNS3 has been around for a while and is a fantastic tool to virtually create labs and test out Cisco technology, as it has evolved<\/p>\n","protected":false},"author":1,"featured_media":555,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,6],"tags":[59,60,57,62,61,63],"class_list":["post-478","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisco-firewall","category-security","tag-asav","tag-asdm","tag-cisco-asa","tag-gns3","tag-virtual-firewall","tag-vmware-workstation"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=478"}],"version-history":[{"count":3,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/478\/revisions"}],"predecessor-version":[{"id":558,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/478\/revisions\/558"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/555"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}