ASAv in GNS3 VM PDF

17/4/2020 Deploying the ASAv using GNS3 and Integrating it with the Physical Network – Jay Miah
Deploying the ASAv using GNS3 and Integrating it

with the Physical Network
By Jay | July 1, 2017 0 Comment
GNS3 has been around for a while and is a fantastic tool to virtually create labs and test out Cisco technology, as it
has evolved GNS3 has become better at providing support for many new devices. In older versions of GNS3 –
running an ASA was very CPU intensive as the image used was initially something taken from a physical device, this
caused multiple problems and the results always varied. Running multiple instance was also a problem unless the
VM you were running GNS on, was a beast.
As Cisco released the virtual version of the ASA (ASAv) its compatibility became limitless and the GNS team were
able to integrate the support of this device which works brilliantly.
Currently the ASAv is available to deploy using VMware ESXI, Hyper V and as a Qemu image.
In this step by step guide, we will deploy a Cisco ASAv in GNS3. We will walk through the process of getting it
working correctly within the GNS3 environment. We will con gure the device with basic management capability
and install ASDM on a PC to be able to access and manage the device. We will then take it a step further and
integrate it to the physical network.
The topology below has been setup using GNS3, the PC is a Windows VM running in VMware workstation – the
VMnet(5) is assigned to the “192.168.5.0/24” network. Inside GNS3 the “Gig0/0” interface of the ASAv will be
connected to a Cloud bridged to the same VMnet(5) so that they are on the same broadcast domain. The internet
represents the physical network which then routes out to the real internet, this will also be bridged but to the
logical adaptor of the GNS3 VM and then bridged again to the physical adaptor of the host.
www.jay-miah.co.uk/deploying-the-asav-using-gns3-and-integrating-it-with-the-physical-network/ 1/49
GNS3 is running version “2.0.2” of both the application and VM, which is the latest version at this time.
Lets begin…
Import and Prepare the ASAv
Step 1: From the Cisco website download the Qemu image for the ASAv, this will be the following le: “asav971-
1.qcow2”
https://software.cisco.com/download/release.html?
md d=286119613& owid=&softwareid=280775065&release=9.7.1&relind=AVAILABLE&rellifecycle=&reltype=late
st
You will need a service contract to download the le.
Step 2: Navigate to https://www.gns3.com/marketplace/appliances, search for “ASAv” and
download the ASAv template for GNS3.
Step 3: From GNS3 click “File-Import appliance”
Step 4: Navigate to the previously downloaded le and click “Open”
Step 5: At the Wizard verify the correct appliance is listed with the following details as shown below, click “Next”
Step 6: The only options for running the appliance will be on the GNS3 VM, click “Next”
Step 7: Once the requirements have been checked click “Next”
Step 8: GNS3 will automatically look for the Qemu image le and inform you if it is present, as this le is already in
the same folder as the appliance this shouldn’t be a problem. Ignore the additional status for “missing les” this is
informing that the other versions listed for the ASAv are not present. Click “Next”
Step 9: At the prompt to install the Cisco ASAv click “Yes”
GNS3 will upload the Qemu le to the VM and install the ASAv
Step 10: At the Qemu binary page, leave the default and click “Next”
Step 11: At the summary page click “Next”
Step 12: The wizard will display the following information – “There is no default password and enable password”.
Also note that the device will boot twice as part of the sequence, which is normal and expected. Click “Finish” to
close the wizard
Step 13: Click “OK” to close the noti cation
The ASAv should now be displayed in the left hand pane as a usable device.
Step 14: Now that the device has been imported, we will need to con gure a few additional steps to allow the
device to work with our environment. By default, the serial port on the ASAv appliance is disabled, we will need to
enable this to be able to use a terminal application software like putty.
Click “Edit-Preferences”
Step 15: Navigate to “Qemu VMs”, select the ASAv and click “Edit”
Step 16: Click on the “Advanced Settings” tab and untick “Use as a linked base VM”. (this will be switched back on
later) This will allow us to create a working base template to our preference and then save it as a master so that
every time we bring out an ASAv into our project it will inherit the settings of the master.
Step 17: Click “General Settings” and select “VNC” as the console type. (this will be switched back to telnet later)
Click “OK” to save the changes and close the window.
Step 18: On the GNS3 Workspace click and drag out the ASAv, right click the device and click “Start”
As the device res up, it will launch using VNC, select the rst option and let the device go through boot process.

The device will power cycle two times as mentioned earlier.
The device will now show the “ciscoasa>” prompt, this indicates the ASAv is ready, Type “Enable” and hit enter, the
device has no password set.
Step 19: Lets con gure the device to use serial as its method of connection, to do this we need to create a le
inside the ash called “use_ttyS0” The easiest way to add this is to clone the existing
\coredumpinfo\coredump.cfg le and rename it.
#conf t
#cd coredumpinfo
#copy coredump.cfg disk0:/use_ttyS0 – (S=Snooping, 0 = Zero)
Step 20: Verify the le has been created and exists in the le system.
#dir disk0:/
As we can see below “use_ttyS0” is present, now we need to reboot the ASAv –
#reload (there is no need to save the con g)
Once the device reboots, it should halt at and display “Lina to use serial port /dev/ttyS0 for console IO”, indicating
its transferred the interactive control to the serial port.
Step 21: It’s now time to change the console from “VNC” back to “Telnet” and lock the ASAv so this becomes the
master template. This way we don’t have to re-con gure the serial port each time we bring out a new ASAv.. Power
o the ASAv by right clicking and selecting “Stop”.
Step 22: Delete the ASAv from the project by right clicking the device and selecting “Delete”
Step 23: From GNS3, Click “Edit-Preferences”
Step 24: Select “Qemu VMs”, select the ASAv and click “Edit”
Step 25: From the “General Settings” tab, under “Console type” select “telnet”
Step 26: Click the “Advanced” tab, and tick “Use as a linked base VM” and click “OK”
Step 27: Create a new project, save it and drag out a new ASAv. Right click the device and select “Start”
Double click the device to bring up a console session, this should now open with Putty, (the screen may appear
blank for up to 30 seconds, this is normal) once the device boots up the “ciscoasa>” prompt will be displayed.
As the device is not yet licensed it will keep prompting this – every few minutes, this is not a major issue as we can
still use it in a lab environment to test out di erent features. The only restriction this device will have is on the
throughput which is capped at 100Kbps, and up to 100 maximum connections.
Step 28: let’s take a look at the spec and features of the device as it is and also without a valid licence –
#show version
We can see the following from the output –
The ASA version is 9.7(1)
The Firepower version is 2.1(1.66)
The ASDM Version is 7.7(1)
We can see the device spec in terms of hardware
The device has 8 Gigabit Ports
The platform is unlicensed is capable of using the following features:
10 Total interfaces
Maximum of 50 VLANs
Unlimited Inside Hosts
Active/Standby Failover
2 VPN Any connect
250 VPN peers
Botnet Tra c Filter
Con gure Basic Management Capability & install ASDM
Step 1: in order to manage the ASAv using ASDM we would need to gain management access to the device, to do
this we can either con gure the “Managment0/0” interface if we have a dedicated management VLAN (which
could be bridged to a VMnet, if inside VMWare) or any other interface that will be assigned to the “Inside Zone”
In this example we will use “Gig0/0” as this will be assigned to the “Inside” zone.
#enable
#conf t
#interface gig0/0
#ip address 192.168.5.254 255.255.255.0
#no shut
#nameif Inside
#exit
Step 2: From the “PC” ping the interface “Gig0/0” interface
Step 3: Enable https access to the device to allow ASDM to connect to it from the “Inside” zone
#https server enable
#http 192.168.5.0 255.255.255.0 Inside
#wri me – save the changes
Step 4: from the “PC” Launch a browser and navigate to https://192.168.5.254, Click “Continue to this webpage
(not recommended)”. The device is using a self-signed certi cate therefore the browser will not trust this.
Step 5: We should now be presented with the Cisco ASDM page, click “Install ASDM Launcher” to download the
asdm installer (a prerequisite for the ASDM launcher is to ensure you have the latest version of “Java Runtime
Environment”)
Step 6: Run the installer, At the Wizard Click “Next”
Step 7: Leave the default installation directory and click “Next”
Step 8: Click “Install”
Step 9: At the UAC prompt click “Yes”
The installation will begin.
Step 10: Click “Finish” to close the wizard
Step 11: ASDM should load automatically, if it doesn’t – launch it from the start menu. Insert the IP of the ASAv’s
Inside interface and click “OK”
Step 12: At the security warning, click “Continue”
ASDM will load
ASAv Licence prompt will be displayed, click “OK” to close
Step 13: Once ASDM opens we should see the full GUI management interface as shown below.
Integrate the ASAv to the physical network
Now that we have setup the ASAv with full management capability from both ASDM and the CLI, we can pretty
much start con guring the rewall. As an additional step Lets con gure the ASAv’s outside interface and
integrate it to our local LAN, which routes out to the internet. Remember we do not have NAT con gured so the
“PC” won’t be able to get out, Ill cover NAT on a separate post, but as for the ASAv, we should be able to reach the
physical network and the internet using its outside interface.
There are several ways of integrating GNS3 devices into the physical network, we could use a loopback interface
and bind it to a physical adaptor to share the internet connection or we could simply create additional NIC
interfaces on our GNS3 VM and allocate those to “VMNets” within VMware – this method has been the most
reliable in my opinion and connectivity is pretty solid without any drops in tra c. Whereas using the loopback can
cause basic connectivity issues which can result in hours of troubleshooting.
Step 1. Lets bind the physical adaptor of the host to the logical VMNet. Launch VMWare workstation and select
“Edit” and “Virtual Network Editor”
Step 2: as we can see from the list of networks, “VMNet0” isn’t being displayed, this is usually the logical adaptor
that binds to the physical adaptor, to view and edit this, click “Change Settings”
Step 3: Click “Yes” to Accept the UAC prompt
Step 4: Select “VMNet0” and allocate it to the physical adapter of your choice, this will be the adapter that
connects to the physical network. In this case I have used the “Wi-Fi” adapter. Click “OK”
Step 5: Now we need to create a new NIC on the GNS3 VM and allocate it to “VMNet0”, right click the “GNS3 VM”
and select “Settings”
Step 6: Under the “Hardware” tab, click “Add”
Step 7: Click “Yes” at the UAC prompt
Step 8: Select “Network Adapter” and click “Next”
Step 9: Select “Custom: Speci c virtual network” and select “VMNet0” from the list. Tick “Connect at power on”
and click “Finish”
Step 10: Click “OK” to close the window.
Step 11: GNS3 will need to be closed and re-opened for the changes to be visible, save the changes on the ASAv
using “Write Memory”, save the project, close GNS3 and re-launch the application.
Once the project has been re-opened and devices powered up, drag a new “Cloud” from the left hand pane onto
the workspace.
Step 12: At the prompt for where to run the “Cloud” from, Select the “GNS3 VM”
Step 13: Using the link tool connect the ASAv’s “Gig0/1” interface to the “Cloud” which is the newly created
interface on the “GNS3 VM” in this case its “Eth1” (Eth0 belongs to the GNS3 VM itself)
Step 14: On the ASAv con gure the “Outside” interface
#conf t
#int gig0/1
#ip address 192.168.0.254 255.255.255.0
#no shut
#nameif Outside
#exit
Step 15: From the host machine, (while connected to the physical network) test the “Outside” IP address of the
ASAv is reachable. As we are connected to the physical network using “Wi-Fi” we should be able to reach the IP as
it’s on the same broadcast domain.
Step 16: If we ping from the ASAv using the “Outside” interface we should be able to reach the real default
gateway on the physical network.
#ping outside 192.168.0.1
Step 17: At this moment if we try and ping out to the internet, we wouldn’t be successful. And the reason for this
is – we don’t have a default gateway/default route con gured for the ASAv
#ping Outside 8.8.8.8
Step 18: Lets give the ASAv a default route
#route Outside 0.0.0.0 0.0.0.0 192.168.0.1
Step 19: We should now be able to ping 8.8.8.8 successfully
#ping Outside 8.8.8.8
Category: Cisco Firewall Security Tags: ASAv , ASDM , Cisco ASA , GNS3 , Virtual Firewall , VMware Workstation
Iconic One Theme | Powered by Wordpress

ASAv in GNS3 VM PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

ASAv in GNS3 VM PDF

Загружено:

Авторское право:

Доступные форматы

17/4/2020 Deploying the ASAv using GNS3 and Integrating it with the Physical Network – Jay Miah

Deploying the ASAv using GNS3 and Integrating it

Import and Prepare the ASAv

You will need a service contract to download the le.

Step 2: Navigate to https://www.gns3.com/marketplace/appliances, search for “ASAv” and

download the ASAv template for GNS3.

Step 3: From GNS3 click “File-Import appliance”

Step 4: Navigate to the previously downloaded le and click “Open”

Step 7: Once the requirements have been checked click “Next”

Step 9: At the prompt to install the Cisco ASAv click “Yes”

Step 11: At the summary page click “Next”

Step 13: Click “OK” to close the noti cation

The device will power cycle two times as mentioned earlier.

#copy coredump.cfg disk0:/use_ttyS0 – (S=Snooping, 0 = Zero)

#reload (there is no need to save the con g)

Step 23: From GNS3, Click “Edit-Preferences”

We can see the following from the output –

The ASA version is 9.7(1)

The Firepower version is 2.1(1.66)

The ASDM Version is 7.7(1)

We can see the device spec in terms of hardware

The device has 8 Gigabit Ports

The platform is unlicensed is capable of using the following features:

Unlimited Inside Hosts

2 VPN Any connect

250 VPN peers

Botnet Tra c Filter

Con gure Basic Management Capability & install ASDM

#ip address 192.168.5.254 255.255.255.0

Step 2: From the “PC” ping the interface “Gig0/0” interface

#https server enable

#http 192.168.5.0 255.255.255.0 Inside

#wri me – save the changes

Step 6: Run the installer, At the Wizard Click “Next”

Step 7: Leave the default installation directory and click “Next”

Step 8: Click “Install”

Step 9: At the UAC prompt click “Yes”

The installation will begin.

Step 10: Click “Finish” to close the wizard

Step 12: At the security warning, click “Continue”

ASDM will load

ASAv Licence prompt will be displayed, click “OK” to close

Integrate the ASAv to the physical network

Step 3: Click “Yes” to Accept the UAC prompt

Step 6: Under the “Hardware” tab, click “Add”

Step 7: Click “Yes” at the UAC prompt

Step 8: Select “Network Adapter” and click “Next”

Step 10: Click “OK” to close the window.

Step 14: On the ASAv con gure the “Outside” interface

#ip address 192.168.0.254 255.255.255.0

#ping outside 192.168.0.1

#ping Outside 8.8.8.8

Step 18: Lets give the ASAv a default route

#route Outside 0.0.0.0 0.0.0.0 192.168.0.1

Step 19: We should now be able to ping 8.8.8.8 successfully

#ping Outside 8.8.8.8

Iconic One Theme | Powered by Wordpress

Вам также может понравиться