Install ASDM 6.4(9) for an ASA 5520 in GNS3

In my last post, I use a TAP interface to connect a VBox network to my pc. Now, I going to show you how to install Cisco Adaptive Security Device Manager (ASDM) in an ASA firewall.
First, you can download ASA iOS from http://www.mediafire.com/download/c228c2sjdyrkwf3/ASA_842.7z

Extract the files and add a new Qemu image in GNS3. Configure as follows:
















Connect ASA to a cloud with TAP interface to be in the same network.
Maybe you can get this error at the moment to play your project:

Execution log:
Failed to initialize module: /usr/lib/x86_64-linux-gnu/qemu/block-curl.so
Note: only modules from the same build can be loaded.
Failed to initialize module: /usr/lib/x86_64-linux-gnu/qemu/block-rbd.so
Note: only modules from the same build can be loaded.
qemu-system-x86_64: -netdev tap,id=gns3-0,ifname=tap0,script=no,downscript=no: could not configure /dev/net/tun (tap0): Operation not permitted
qemu-system-x86_64: -netdev tap,id=gns3-0,ifname=tap0,script=no,downscript=no: Device 'tap' could not be initialized

This is because your user don't have permission to run it. To solve it, you can run gns3 with your root account or add the privileges to your user with this follow command:

sudo tunctl -t tap0 -u your_user

Now we are ready to run our ASA. Initially, you need activate the licences, because as you know, Cisco charge by everything.
Open ASA terminal and put this follow command:

enable
[ENTER]
ciscoasa> config t
ciscoasa# activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
ciscoasa# wr

Now, configure the address of the port to communicate to the cloud (I assume that your are using GigaEthernet0 and TAP interface in the cloud is 10.0.0.1):

ciscoasa# interface Gi0
ciscoasa# ip address 10.0.0.2 255.255.255.0
ciscoasa# nameif inside
ciscoasa# no shutdown

Now, the connectivity should be done.
Proceed to download ASDM file from https://drive.google.com/file/d/0BxGGwKJEWVB0amstM0VQVmRYNUk/view?usp=sharing
To install ASDM, we need a TFTP server in our pc to send it to ASA.
For Linux are a lot of them. I tested a lot but major return this error:

WARNING: TFTP download incomplete!
%Error reading tftp://10.0.0.1/asdm-649.bin;int=inside (Unspecified Error)

This means that the file couldn't transfer, because initially tftp was only for little files and has problem with bigger.
I used tftpd-hpa and for install it you need to use this command:

sudo apt-get install tftpd-hpa

One problem with it, is if you check the status, you can see this follows:

service tftpd-hpa status
in.tftpd[14041]: connect: Address family not supported by protocol

To fix it, you need edit the configuration file (/etc/default/tftpd-hpa) to specify an ipv4 host. Also, specify the folder who has ASDM (in my case it was in ~). This is an example of the file content:

# /etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/home/user/"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"

For get the ASDM file in ASA you must write this command:

copy tftp: flash:
10.0.0.1
asdm-649.bin
asdm-649.bin

Now, the file shuold be inside your ASA.
To install it, you need write these commands:

ciscoasa(config)# asdm image flash:asdm-649.bin
ciscoasa(config)# http server enable
ciscoasa(config)# http 10.0.0.1 255.255.255.255 inside
ciscoasa(config)# username admin password 123456 privilege 15
ciscoasa(config)# wr

In the third line, you are specifying which host can access to your web server, and in the fourth line you create and user and a password to access it (this password is the most weak password that you can use, if you are creating a real environment don't use it).

 Now, open your browser and go to https://10.0.0.2/  (the ip of your ASA)
If you are using Chrome, you will see the following:


Chrome, since version 35 it hasn't NPAPI plugin (for java compatibility). Until version 44, you can enable, but later you can do it. For this reason, it's better choice another browser like Firefox.
You need install a plugin for java compatibility and remember have java installed on your computer:

sudo apt-get install oracle-java9-installer oracle-java9-set-default
sudo apt-get install icedtea-netx icedtea-7-plugin

Now, open the url with Firefox and when the browser ask you what to do with the Java Network Launching Protocol (JNLP) file, tell it you want open with icedtea.
Maybe you will see the following:

Application Blocked by Java Security
For security, applications must now meet the requirements for the High or Very High security settings, or be part of the Exception Site List, to be allowed to run.

To add our site to the exception list, you must edit java configuration with:

javaws -viewer

The result should be look like:


Finally, we can run again the java file and access to ASA.
Enjoy!



























Comments

Popular posts from this blog

How to fix Android when developer options are not available for this user

Exception: Could not find a default OpenFlow controller in Mininet

Webcam streaming throught VLC with YUY2 compatibility