Emulation of cisco asa 8.4 on a Mac

Environment

• Mac OS X 10.7.5
• GNS3 0.8.3.1
• qemu 1.2.0 via MacPorts

ASA 8.4.2 in GNS3

You need a prepared and splitted asa image.

Read the how tos or search for "asa842-initrd.gz asa842-vmlinuz". You will need both when you setup the asa.

• RAM: 1024 MiB
• Number of NICs: 6
• NIC Model: e1000
• Qemu Options: -nographic -cpu coreduo -m 1024 -icount auto -hdachs 980,16,32
• Use KVM: NO
• Initrd: /pathto/asa842-initrd.gz
• Kernel: /pathto/asa842-vmlinuz
• Kernel cmd line: -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 ide1=noprobe no-hlt

GNS3 generates following qemu cli command

/opt/local/bin/qemu-system-i386 \
-name ASA1 \
-m 1024 \
-hda /tmp/ASA1/FLASH \
-kernel /Users/me/Applications/GNS3 Emulation Package/ASA IMAGES/ASA842/asa842-vmlinuz \
-initrd /Users/me/Applications/GNS3 Emulation Package/ASA IMAGES/ASA842/asa842-initrd.gz \
-append -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 ide1=noprobe no-hlt \
-device e1000,mac=00:00:ab:25:64:00 \
-device e1000,mac=00:00:ab:b0:1b:01 \
-device e1000,mac=00:00:ab:93:b2:02 \
-device e1000,mac=00:00:ab:cd:e9:03 \
-device e1000,mac=00:00:ab:2f:f1:04 \
-device e1000,mac=00:00:ab:b6:99:05 \
-serial telnet:127.0.0.1:3001,server,nowait \
-nographic \
-m 1024 \
-icount auto \
-hdachs 980,16,32

Problem

Cause of no-hlt the ASA could not reload correctly!?

drag'n'drop ASA onto your topology, start and open console

$ telnet 127.0.0.1 3001 ; exit
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
Initializing cgroup subsys cpu
Linux version 2.6.29.6 (builders@bld-releng-05a) (gcc version 4.3.4 (crosstool-NG-1.5.0) ) #1 PREEMPT Wed Jun 15 17:19:01 MDT 2011
KERNEL supported cpus:
...
device eth4 entered promiscuous mode
device eth5 entered promiscuous mode
Clocksource tsc unstable (delta = 263073931 ns)
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
...
e1000: eth5 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
Initializing partition -  hda: hda1
done!
mkdosfs 2.11 (12 Mar 2005)

System tables written to disk
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
...
msrif: module license 'Cisco Systems, Inc' taints kernel.
msrif module loaded.
grep: /mnt/disk0/.private/startup-config: No such file or directory
...
L4TM: Unknown ASA Model

INFO: Unable to read firewall mode from flash
...
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 
The Running Activation Key is not valid, using default settings:
...
This platform has an ASA 5520 VPN Plus license.

Cisco Adaptive Security Appliance Software Version 8.4(2) 
_le_open: fd:4, name:eth0
...
Copyright (c) 1996-2011 by Cisco Systems, Inc.
...
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201211021905.log'
Type help or '?' for a list of available commands.
ciscoasa> en
Password: 
ciscoasa# 

ciscoasa# show run
: Saved
:
ASA Version 8.4(2) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 shutdown
 no nameif
...
ftp mode passive
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
...
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context 
...
crashinfo save disable
Cryptochecksum:00000000000000000000000000000000
: end

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(2) 

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 36 mins 16 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 5254.0012.3456, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.abdc.8200, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab4b.8201, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab7d.d802, irq 0
 4: Ext: GigabitEthernet4    : address is 0000.abea.3d03, irq 0
 5: Ext: GigabitEthernet5    : address is 0000.ab6d.4e04, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 
Configuration register is 0x0
Configuration has not been modified since last system restart.
ciscoasa# 

In case of Problems

1. Quit GNS3
2. kill all running qemu processes
3. Start GNS3
4. Start qemu through GNS3 / Preferences / Qemu / Test Settings
5. drag n drop a ASA
6. Start ASA
7. Quickly open the Console too

• Do not reload the ASA. Instead stop and start qemu

If starting the ASA 8.4 in the GNS3 GUI failed, start it directly on the CLI

Qemu snippits

• '-serial', 'telnet::3001,server,nowait',
• QemuHelp
• Qemu Options: -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
• ps -ael | grep qemu | grep -v grep | grep -v qemuwrapper | awk '{print $2}' | xargs -n1 kill -9 {} kills all qemu processes except the GNS3 wrapper. Because the Stop button in the GNS3 GUI seems not to stop qemu reliable.

activation-key

Search for "activation-key asa842-initrd.gz asa842-vmlinuz"

Qemu seems to reload endless with some common activation-key!

Useful links

• http://7200emu.hacki.at/viewtopic.php?t=9074
• http://7200emu.hacki.at/viewtopic.php?p=33914#33914
• http://twopacket.zymichost.com/2012/01/06/how-to-run-asa-8-42-under-qemu-with-gns3.html
• http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/
• http://blog.ciscoinferno.net/gns3-and-cisco-asa-8-4-part-1 Part 1
• http://blog.ciscoinferno.net/gns3-and-cisco-asa-8-4-part-2 Part 2