Saturday, August 24, 2013

Configuring ASDM for ASA on GNS3

ASDM is a GUI tool that you can use to configure ASAs. Although I prefer to use CLI, ASDM does come in handy from time to time. In this blogtorial we will see how to configure ASDM so that we can use it to configure ASAs running on GNS3. If you need a primer on how to get ASAs working on GNS3 then see my previous blogtorial.

Overview: 
  • Download ASDM image
  • Create a Loopback interface
  • Connect it to the ASA
  • Assign IP addresses
  • Download TFTP server
  • Copy ASDM image to the ASA
  • Install ASA on the computer
  • Connect to the ASA using ASDM 
First thing you need to do is download the ASDM image. You can download it from the Cisco website if you have a login and the necessary license. If not, you can always try getting it from somewhere else ;-).

Since the ASDM from your computer needs to communicate to the ASA on GNS3, we need to create a loopback on your PC and connect it to GNS3.

Here is how to create a loopback (does require a reboot of your machine). Make sure you right click and "Run as administrator".



Restart the computer so that the loopback interface can take effect.

Drag and drop an ASA, an Ethernet switch and the cloud.


 Drop down the list of interfaces and pick the loopback that we just created and click "OK".


Now connect e0 of the ASA into the Switch and the Cloud into the switch also. Reason we have to use a switch is because we cannot connect the cloud directly to the ASA e0 interface.




Now configure the loopback with an IP address. In my case, I used 10.1.1.254/24.


Console into the ASA and configure g0 with an IP address in the same subnet as the loopback on your computer.

 ciscoasa# sh run int g0  
 !  
 interface GigabitEthernet0  
  nameif inside-int  
  security-level 0  
  ip address 10.1.1.1 255.255.255.0  
 ciscoasa#  

The ASDM that is on your computer needs to be copied over to the ASA's flash drive. In order to do this you will need a TFTP server. You can download one from here or you can visit the download page at http://tftpd32.jounin.net/tftpd32_download.html. Again get the ASDM bin file from the Cisco website granted that you have the login and the necessary license. If not, get it from somewhere else...

On my computer the asdm-713.bin is in my R:\CCIE POA folder and make sure to pick the TFTP interface as the loopback (10.1.1.254). Note the commands on the ASA to copy the file over.

" copy tftp://<your computer loopback ip>/asdm-713.bin flash: "


Now that the ASDM image has been successfully copied over let's get ASDM configured on the ASA.

 ciscoasa#  
 ciscoasa# conf t  
 ciscoasa(config)# asdm image flash:asdm-713.bin  
 ciscoasa(config)# http server enable  
 ciscoasa(config)# http 10.1.1.0 255.255.255.0 inside-int  
 ciscoasa(config)# username cisco password cisco priv 15  
 ciscoasa(config)# exit  
 ciscoasa#  

It's time to install ASDM on your PC. Browse to the ASA g0 IP https://10.1.1.1/ and follow the screenshots.




Click save and run the installation file and follow on the on-screen instructions. Once successfully installed you can go to your program files and run it.


Put int your ASA g0 (10.1.1.1) ip and use the user you created cisco/cisco and click ok.



There you have it -- full blown ASDM to control your "virtual" ASA running on GNS3.

Many more articles to come so stay tuned.

Please reshare/subscribe/comment/+1 if you like my posts as it keeps me motivated to write more and spread the knowledge.

2 comments:

  1. why do you keep the security level for g0 to 0?
    ciscoasa# sh run int g0
    !
    interface GigabitEthernet0
    nameif inside-int
    security-level 0
    ip address 10.1.1.1 255.255.255.0

    regards
    Moez

    ReplyDelete
    Replies
    1. Great point. This blogtorial wasn't really about security levels, however you are correct -- 0 is not what you want for an inside interface. I would probably prefer it to be 100.

      If anyone is interested, here is a quick overview for Security Levels

      http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1043290

      Delete