Setting up ASA8.4 in GNS3 with ADSM

DJMK4 · 13 Nov 2013 at 21:15

Hi guys,

I am putting a lab together for this and have used various guides on the web,

mainly these

https://www.youtube.com/watch?v=Q4g1rW5ri5o

https://www.youtube.com/watch?v=PxyM8KHcC_M

http://www.rehmert.com/2012/12/add-asa-8-42-to-gns3/

http://www.networkingnut.net/configuring-asdm-gns3/

However for the love of god I cannot seem to get a ping response from my loopback adaptor when I try and ping from the asa.

My asa has a gigabitethernet1 port configured with 10.0.0.1 /24
My loopback adaptor has been configured and has an ip set-up of 10.0.0.2 /24

I have followed the steps in most of these guides, and even spotted a few people having similar problem's but have not been able to get around it, some people suggesting they were seeing this issue with windows 7 but not xp.

Has anyone had this issue?

Chief Wiggum · 13 Nov 2013 at 21:19

No problems here with running an ASA and ASDM in win 7 (I'm doing mine inside a vm too) I used mine to replicate a 3rd party VPN endpoint that we had some migration problems with.
Will see if I can find the guide I used

Chief Wiggum · 13 Nov 2013 at 21:27

Here you go, this is what I used:
http://www.xerunetworks.com/2012/02/cisco-asa-84-on-gns3/
http://www.xerunetworks.com/2012/03/asa-84-asdm-on-gns3-step-by-step-guide/
I also turned off windows firewall

DJMK4 · 13 Nov 2013 at 21:27

Something funky is going on I think, although everytime I go through these guides I am not really spotting anything out of place

just tried turning off windows firewall which made no difference, was still unable to ping from asa to loopback ip

Will have a look at those links, thanks

DJMK4 · 13 Nov 2013 at 21:56

just followed the guide and still exactly the same, no idea :/

Chief Wiggum · 13 Nov 2013 at 22:06

How strange... Is the interface up and things like that (bit of a long shot I know) just thinking about why it could be failing... Do you see the arp for the ASA on windows (arp -a in cmd) or the loop from the ASA?

DJMK4 · 13 Nov 2013 at 22:35

Chief Wiggum said:
How strange... Is the interface up and things like that (bit of a long shot I know) just thinking about why it could be failing... Do you see the arp for the ASA on windows (arp -a in cmd) or the loop from the ASA?

Yeah the interface is up, did a no shutdown, interface status showing as up.

Havnt run a show arp from windows, I cant connect to my lab machine in work for some reason so will have to maybe try tomorrow.

I'm probably going to create a second lab and try this again although im not spotting anything that I have done differently or missed

DJMK4 · 14 Nov 2013 at 12:49

Just done a show arp test from the lab machine (configured with the loopback adaptor)

Interface: 10.0.0.2 --- 0xe
Internet Address Physical Address Type
10.0.0.1 00-ab-cd-92-52-00 dynamic
10.0.0.255 ff-ff-ff-ff-ff-ff static

so you can see the IP address that's been assigned to the ASA interface (10.0.0.1)

Also just tried from the beginning, still the same....

Chief Wiggum · 15 Nov 2013 at 11:42

hmm, ok - just in front of my lab machine now...
I can see the same for the arp - but I can ping in both directions.

Here's my config on the ASA for Gig 0 (Management)

Code:

interface GigabitEthernet0
 nameif management
 security-level 0
 ip address 10.10.10.1 255.255.255.0
 management-only
!

it didn't like taking the config for a bit - I just blatted the ASA config and re-did it, set management-only, no shut, name-if and then added the IP.
Otherwise it didn't like it on mine.

DJMK4 · 15 Nov 2013 at 12:43

My interface pretty much looks identical apart from "management-only"

Can you do me a fav and do a show ver from your asa?

Where did you get your IOS from?

I don't think its an IOS problem, it boots fine, can do all the config fine.

I may try this on my laptop rather than on my lab machine, just incase its a problem specifically tied to my lab machine in work.

Chief Wiggum · 15 Nov 2013 at 13:57

My IOS came direct from Cisco (CCO) - management-only is a command you type in under the interface, it's been in IOS for a while...

Show Ver:

Code:

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 7.1(3)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 17 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 00ab.cd92.5200, irq 0
 1: Ext: GigabitEthernet1    : address is 00ab.cd92.5202, irq 0
 2: Ext: GigabitEthernet2    : address is 00ab.cd92.5203, irq 0
 3: Ext: GigabitEthernet3    : address is 00ab.cd92.5204, irq 0
 4: Ext: GigabitEthernet4    : address is 00ab.cd92.5205, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 10             perpetual
Total UC Proxy Sessions           : 10             perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Enabled        perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 
Configuration register is 0x0
Configuration has not been modified since last system restart.
ciscoasa#

DJMK4 · 15 Nov 2013 at 14:05

Chief Wiggum said:
My IOS came direct from Cisco (CCO) - management-only is a command you type in under the interface, it's been in IOS for a while...

Yeah I added management-only to the interface config, didnt make any difference to my issue though.

Here is my show ver

Code:

ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 15 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB


 0: Ext: GigabitEthernet0    : address is 00ab.cd92.5200, irq 0
 1: Ext: GigabitEthernet1    : address is 0000.ab22.6101, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.abc2.8d02, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab59.3003, irq 0
 4: Ext: GigabitEthernet4    : address is 0000.ab0b.5804, irq 0
 5: Ext: GigabitEthernet5    : address is 0000.ab5e.5305, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 25             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Enabled        perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
UC Phone Proxy Sessions           : 10             perpetual
Total UC Proxy Sessions           : 10             perpetual
Botnet Traffic Filter             : Enabled        perpetual
Intercompany Media Engine         : Enabled        perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 
Configuration register is 0x0
Configuration has not been modified since last system restart.

Chief Wiggum · 15 Nov 2013 at 14:07

if you try and ping from the ASA, do you get an arp entry for the PC?

DJMK4 · 15 Nov 2013 at 14:11

Chief Wiggum said:
if you try and ping from the ASA, do you get an arp entry for the PC?

What you mean any arp entry on the asa for the pc, if I try to ping from the asa?

Will check now

Edit: If I do a show arp it doesnt output anything from the arp table

Chief Wiggum · 15 Nov 2013 at 14:26

ok, that would suggest that something is up at L2 - On the ASA what do you have for:
show interface ip brief
show route

Edit: your LAB ip range doesn't overlap with anything that your PC already has configured does it (stupid question)

DJMK4 · 15 Nov 2013 at 14:30

To clarify, on my machine, I have two network adaptors, one for my main LAN which is connected to the work network, and one for the loopback adator

The loopback adaptor has been configured with

IP: 10.0.0.2 / 16
I have tried with and without a default gateway, with the default gateway I set the IP of the ASA interface (10.0.0.1), this allows the adaptor to recognise the network, without the default gateway on the loopback adaptor, it changes to "unrecognised network"

On the ASA, my gi0 interface is configured with

Code:

interface GigabitEthernet0
 nameif management
 security-level 0
 ip address 10.0.0.1 255.255.0.0
 management-only
!

show interface ip brief

Code:

ciscoasa# show int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           10.0.0.1        YES CONFIG up                    up
GigabitEthernet1           unassigned      YES unset  administratively down up
GigabitEthernet2           unassigned      YES unset  administratively down up
GigabitEthernet3           unassigned      YES unset  administratively down up
GigabitEthernet4           unassigned      YES unset  administratively down up
GigabitEthernet5           unassigned      YES unset  administratively down up
ciscoasa#

show route

Code:

ciscoasa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    10.0.0.0 255.255.0.0 is directly connected, management
ciscoasa#

Chief Wiggum · 15 Nov 2013 at 16:56

Ok, rather depends on what the other network range is on your work PC, if it's anything 10.0.x.x then it's going to get confused. I'd recommend using a totally different /24 or even better a /30 as it's only a point to point connection for you to manage the ASA

DJMK4 · 15 Nov 2013 at 17:12

Nah its on 192.168.61.X

I will keep having a play, I will probably just replicate it on my home laptop, to see if it has the same problem

Atleast that will be another completely fresh install of GNS3 with brand new config, and see what happens, will try over the weekend.

GhostlyPea · 15 Nov 2013 at 18:18

Looks like you haven't entered your actovation key. When I set mine up I had to enter one to make it work

- GP

DJMK4 · 15 Nov 2013 at 19:00

GhostlyPea said:
Looks like you haven't entered your actovation key. When I set mine up I had to enter one to make it work

- GP

If you are referring to show version I done above ^^ I deleted the activation keys before I posted on here, on both occasions from scratch, the first one went in pretty much straight away on the device, the second one took around 5 minutes maybe a bit longer. I then wrote to flash and done a reload

When you say you had to enter one to make it work, make what work?

Im guessing that this is local activation rather than internet activation