Emulating a Cisco ASA in GNS3

I originally wrote a post with this title for my last employer’s website 2 years ago. It was pretty popular for some reason (perhaps because information about ASA emulation was a lot less common than it is now), so I decided to revisit it and update it if required.

Back at the time, I was working on an upgrade of a pair of critical Cisco ASA firewalls from version 8.2 to a version greater than 8.3; this is a major upgrade that changes the commands for NAT significantly.

Cisco have incorporated a migration script into the upgrade process that attempts to convert the old 8.2 commands to 8.3 syntax. However, it’s not perfect and some configurations will just not migrate without intervention.

Having initially attempted the upgrade on the standby ASA, the automatically generated configuration produced by the upgrade was found to be producing undesirable behaviour. The ASA was rolled back but not before taking a copy of the configuration. Being unable to purchase another ASA for lab testing, the bad configuration was loaded into an emulated ASA in GNS3 and through trial and error new quirks in ASA configuration were corrected and the problem solved in the live environment.

Preparation

An excellent script by dmz at 7200emu.hacki.at (repack.v4.sh.gz) is necessary. This will take an ASA image and separate it into two files – a RAM disk and a kernel image. (Register and login to be able to download it.)

You will also need the Cisco ASA 8.4(2) image (asa842-k8.bin), as that is the image that the repack script is designed for. I did not attempt to use or remodel the repack script for other ASA versions, so that’s an interesting challenge for another day.

On a Linux system (I’m using Linux Mint 17, which should be very similar in behaviour to Ubuntu 14.04), run the script against the image. (Script needs run as root to avoid errors from cpio, so run at own risk.)

Keep two of the files produced:

  • asa842-vmlinuz
  • asa842-initrd.gz

Since Linux is what I work in these days, I’m mainly interested in getting GNS3 working in that, but I was unable to get it to work without a programming assertion failure. Since I had no such problems in Windows, and I will probably rarely or never need to emulate an ASA again, that will suffice.

Windows guide

GNS3 has had had quite a few updates since 0.8.3. Now in version 1.1, the installer now includes WinPcap and Wireshark by default. I’ll assume that the GNS3-1.1-all-in-one.exe installer has been installed with the default packages at minimum.

Once installed, open GNS3 and in Edit > Preferences > QEMU > QEMU VMs, create a New VM.

Name the VM whatever you want, but set the Type to ‘ASA 8.4(2)’. The default Qemu binary of qemu-system-x86_64w.exe is fine, as is the 1024MB of RAM. Choose the initrd and vmlinuz binary files created earlier, and then save the VM preferences.

The completed VM should look something like this:

GNS3 1.1 QEMU VM Configuration

Now, having created the VM definition, simply drag an ASA device into a topology; you should now be able to start it, connect to the console, and make connections just like any IOS device…

ASA successfully booted in GNS3 on Windows

Linux guide

As already mentioned above, I was unsuccessful getting a working solution in Linux, but I will put one here if I ever get one.

(It’s possible that I was making problems for myself by not to downloading the latest versions of GNS3 and Qemu. I prefer to use the distro packages wherever possible.)

 

Leave a Reply

Your email address will not be published. Required fields are marked *