Running the Cisco ASA Firewall with GNS3 on OS X

Submitted by Jason Neurohr on Tue, 05/04/2010 - 09:29

Updated!

This article will show you how to get GNS3 correctly running Cisco ASA firewalls on Mac OS X Snow Leopard. This is a continuation of my thread over here: http://networkfoo.org/phpBB3/viewtopic.php?f=62&t=225

Note: This procedure worked for me but it may not necessarily work for you. I have gone through many iterations of GNS3 and some of this may have affected the outcome of the procedure.

Download

GNS3 v0.7.1 DMG package - http://downloads.sourceforge.net/gns-3/GNS3-0.7.1-intel-x86_64.dmg?download
GNS3 v0.7.0 DMG package - http://sourceforge.net/projects/gns-3/files/GNS3/0.7/GNS3-0.7-intel-x86_64.dmg/download
GNS3 v0.7RC1 Source package - http://sourceforge.net/projects/gns-3/files/GNS3/0.7RC1/GNS3-0.7RC1-src.zip/download

Install Requirements for GNS3

Install the Apple Dev Tools from the OS X DVD. Run and install the XcodeTools.mpkg package.
Download and install MacPorts from - http://www.macports.org/
Open a terminal window and run the following commands:

foo:~ jason$ sudo port install python26
foo:~ jason$ sudo port install python_select
foo:~ jason$ sudo python_select python26
foo:~ jason$ sudo port install py26-sip @4.9.3_0
foo:~ jason$ sudo port install py26-pyqt4 @4.6.2_0
foo:~ jason$ sudo port install qt4-mac @4.5.3_0
foo:~ jason$ sudo port install zlib wget libpcap

Download, patch and install Qemu:

foo:~ jason$ wget http://download.savannah.gnu.org/releases/qemu/qemu-0.11.0.tar.gz
foo:~ jason$ tar xvzf qemu-0.11.0.tar.gz
foo:~ jason$ cd qemu-0.11.0
foo:~ jason$ wget http://downloads.sourceforge.net/gns-3/qemu-0.11.0-macosx.patch?download
foo:~ jason$ patch -p1 -i qemu-0.11.0-macosx.patch
foo:~ jason$ wget http://downloads.sourceforge.net/gns-3/qemu-0.11.0-olive.patch?download
foo:~ jason$ patch -p1 -i qemu-0.11.0-olive.patch
foo:~ jason$ ./configure --disable-aio --disable-kvm --disable-kqemu --disable-sdl --target-list=i386-softmmu
foo:~ jason$ make
foo:~ jason$ sudo make install

Install and Setup GNS3

Install the GNS3 v0.7.1 DMG to your applications as you would any other application.
Mount the GNS3 v0.7.0 DMG then right click the application icon and select Show Package Contents.
Drill down into Contents > Resources > Copy the dynamips-0.2.8-RC2-OSX-Leopard.intel.bin and then repeat the procedure except do it for the v0.7.1 package in your Applications folder and paste the file into the Resources folder.
Extract the GNS3 v0.7RC1 Source package, and copy the pemubin.py files to the Resources directory similarly to step 3.
1. sudo cp GNS3-0.7RC1-src/qemuwrapper/pemubin.py /Applications/GNS3.app/Contents/Resources/
Start GNS3 and goto the GNS3 > Preferences Menu.
On the Dynamips tab, set the Executable path to - /Applications/GNS3.app/Contents/Resources/dynamips-0.2.8-RC2-OSX-Leopard.intel.bin
On the same tab check the Enable sparse memory feature.
On the Qemu tab, set the Path to Qemuwrapper to - /Applications/GNS3.app/Contents/Resources/qemuwrapper.py
On the same tab, set the Path to qemu to - /usr/local/bin/qemu
Again on the same tab, set Path to qemu-img to - /usr/local/bin/qemu-img

Next you need to the Build the ASA Files.

Build the ASA Files

Now for the ASA. I followed the post here: http://blog.gns3.net/2009/12/how-to-emulate-cisco-asa/ to complete this portion.

I used my ubuntu 9.10 installation to follow the steps due to some issues I was encountering on Snow Leopard with the cpio command:

X:tmp jason$ sudo cpio -i --no-absolute-filenames --make-directories < ../asa802-k8
cpio: Option --no-absolute-filenames is not supported

The Steps to perform:

jason@coke:~/GNS7$ hexdump -C asa802-k8.bin > asa802-k8.hex
jason@coke:~/GNS7$ grep "1f 8b 08 00 1d" asa802-k8.hex
001228b0 1f 8b 08 00 1d 3d 73 46 00 03 ec 3a 6d 54 14 57 |.....=sF...:mT.W|
jason@coke:~/GNS7$ ls -la asa802-k8.bin
-rwx------ 1 jason jason 14524416 2009-12-11 09:48 asa802-k8.bin
jason@coke:~/GNS7$ echo "14524416 ; ibase=16 ; last - 1228B0" | bc | tail -n 1
13334352
jason@coke:~/GNS7$ tail -c 13334352 asa802-k8.bin > asa802-k8.gz
jason@coke:~/GNS7$ gzip -d asa802-k8.gz

gzip: asa802-k8.gz: decompression OK, trailing garbage ignored
jason@coke:~/GNS7$ mkdir tmp ; cd tmp
jason@coke:~/GNS7/tmp$ sudo cpio -i --no-absolute-filenames --make-directories < ../asa802-k8
[sudo] password for jason:
cpio: Removing leading `/' from member names
61039 blocks
jason@coke:~/GNS7/tmp$ ls
asa bin dev etc init lib linuxrc mnt proc sbin sys System.map usr vmlinuz
jason@coke:~/GNS7/tmp$ cp vmlinuz ../asa802-k8.kernel
jason@coke:~/GNS7/tmp$ cd asa/scripts/
jason@coke:~/GNS7/tmp/asa/scripts$ sudo vim first_start.sh

Paste the following:

#!/bin/sh
 
##
## Author: Jeremy Grossmann (2009)
## Contributor: J. Pedro Flor (28 january 2010)
##
 
FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
 cd /asa/scripts/
 echo "d" > /asa/scripts/fdisk.pf.in
 echo "o" >> /asa/scripts/fdisk.pf.in
 echo "n" >> /asa/scripts/fdisk.pf.in
 echo "p" >> /asa/scripts/fdisk.pf.in
 echo "1" >> /asa/scripts/fdisk.pf.in
 echo "1" >> /asa/scripts/fdisk.pf.in
 echo ""  >> /asa/scripts/fdisk.pf.in
 echo "t" >> /asa/scripts/fdisk.pf.in
 echo "4" >> /asa/scripts/fdisk.pf.in
 echo "w" >>/asa/scripts/fdisk.pf.in
 
 echo ""
 echo -n "Initializing partition..."
 /sbin/fdisk /dev/hda < /asa/scripts/fdisk.pf.in > /dev/null 2> /dev/null
 echo "done"
 
 echo ""
 echo -n "Formating and mounting partition..."
 mkdosfs -F 16 /dev/hda1 > /dev/null 2> /dev/null
 mount -t vfat -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0 > /dev/null 2> /dev/null
 echo "done"
 echo ""
 
 cp /asa/bin/lina /mnt/disk0/lina
 cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
 FIRST_START=yes
fi
 
# load drivers
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
 
if test $FIRST_START = yes
then
 echo ""
 echo "          Cisco ASA with <NO> Multiple Security Contexts"
 echo "          =============================================="
 echo ""
 echo "This is your first boot, please wait about 2 minutes for 'disk0' creation"
 echo "and then execute the following commands inside the Linux prompt:"
 echo ""
 echo " # cd /mnt/disk0"
 echo " # /mnt/disk0/lina_monitor"
 echo ""
 echo ""
 echo ""
 echo "Please note to use the following command under ASA to save your configs:"
 echo ""
 echo " ciscoasa(config)# boot config disk0:/.private/startup-config"
 echo " ciscoasa(config)# copy running-config disk0:/.private/startup-config"
 echo ""
 echo ""
 echo ""
 echo "To get webvpn working, execute the following commands:"
 echo ""
 echo " ciscoasa# mkdir disk0:/var"
 echo " ciscoasa# mkdir disk0:/var/log"
 echo " ciscoasa# mkdir disk0:/csco_config"
 echo " ciscoasa# mkdir disk0:/csco_config/97"
 echo " ciscoasa# mkdir disk0:/csco_config/97/webcontent"
 echo ""
 echo "          ( Powered by Pedro Flor )"
 echo "          ( pedro.flor@gmail.com  )"
 echo ""
 exit
fi
 
echo ""
echo ""
echo "Starting Cisco ASA with <NO> Multiple Security Contexts..."
echo ""
 
cd /mnt/disk0
/mnt/disk0/lina_monitor

Then save the file.

jason@coke:~/GNS7/tmp/asa/scripts$ sudo chmod 755 first_start.sh
jason@coke:~/GNS7/tmp/asa/scripts$ cd ../../etc/init.d/
jason@coke:~/GNS7/tmp/etc/init.d/$ sudo vim rcS

Modify the file and comment out the lina_monitor line and replace with /asa/scripts/first_start.sh, it should look like this afterwords.

#!/bin/sh
#------------------------------------------------------------------
# Copyright (c) 2006, 2007 by Cisco Systems, Inc.
# All rights reserved.
#------------------------------------------------------------------

export MOUNT_OPTS=umask=0000,noatime,check=s,posix,shortname=mixed
/bin/sh -c /etc/init.d/rcS.common

export LD_LIBRARY_PATH=/mnt/disk0/lib:/mnt/disk0/lib

# launch our user space processes
#/asa/bin/lina_monitor
/asa/scripts/first_start.sh

Then save the file.

jason@coke:~/GNS7/tmp/etc/init.d$ cd ../../
jason@coke:~/GNS7/tmp$ find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz
61040 blocks

When you start the ASA you need to run the following commands to start it up:

This is your first boot, please wait about 1 min and then type the following commands:
cd /mnt/disk0
/mnt/disk0/lina_monitor

Please note to use the following command under ASA to save your configs:
copy run disk0:/.private/startup-config

When you save your config you may get an error like this:

ASA# copy running-config disk0:/.private/startup-config

Source filename [running-config]?

Destination filename [/.private/startup-config]?
Cryptochecksum: d847d487 be2324f6 5058c694 ec96aba7

1466 bytes copied in 1.670 secs (1466 bytes/sec)open(ffsdev/2/write/41) failed
open(ffsdev/2/write/40) failed

The ASA still seems to save the configuration correctly.

GNS3 Preference Configuration

I have GNS3 configured with the following settings:

Qemu\ASA Settings:

Memory - 256
NIC - i82551
Qemu Options - -hdachs 980,16,32
Initrd - /Users/jason/ASABinModified/asa802-k8.initrd.gz
Kernel - /Users/jason/ASABinModified/asa802-k8.kernel
Kernel cmd line - auto console=ttyS0,9600 bigphysarea=16384 ide1=noprobe

The ASA will then start successfully, and networking will be working correctly. I've tested two concurrent ASA's so far in my lab and achieved connectivity between the two.

Qemu Hosts

To use the Qemu Host feature in GNS3 do the following:

Download this Linux host img - http://downloads.sourceforge.net/gns-3/linux-microcore-2.10.img?download
In GNS3 go to Preferences. On the Qemu tab, click Qemu Host.
Set the Identifier to Microcore
Set the Binary image to the path of the linux-microcore-2.10.img file.
Set the Memory to 32MB.
Set the NIC to e1000.
Set the Qemu Options to -no-acpi