For quite some time, I’ve been battling with the notion of running an ASA emulator on linux without VMware.  Since I couldn’t quite figure it out myself, I had to place the idea on the back burner until I had more time to test.  After a few months of dabbling with dynamips, dynagen, and pemu I managed to get it working.  Unfortunately I changed too many things on my machine to really know what worked and what didn’t work.

Recently I was asked again by a reader, Azher, if I could do a write up on how to do it.  Rather than share my convoluted method and possibly destroying your OS, I found a much easier way to do it just Googling around.  The article, How to Set Up A Cisco Lab On Linux (CentOS 5.2), was posted on HowtoForge by Topdog.  Just follow his procedure and you should be on your way to running an ASA instance within linux.

FYI, I managed to run his procedure successfully on FC9.  Here are my notes:

1) Downloaded RPM files off Topdog’s website

2) Ran ‘rpm’ with the ‘–nodeps’ parameter to avoid the following error:

error: Failed dependencies:
libpcap.so.0.9.4 is needed by dynamips-0.2.8RC2-1.i386

[root@xuxu-t61 LAB]# ls *.rpm
dynagen-0.11.0-1.noarch.rpm  pemu-0.0.1-20070420.i386.rpm
dynamips-0.2.8RC2-1.i386.rpm

[root@xuxu-t61 LAB]# rpm -Uvh –nodeps dynamips-0.2.8RC2-1.i386.rpm
warning: dynamips-0.2.8RC2-1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 990dd808
Preparing…########################################### [100%]
1:dynamips########################################### [100%]

[root@xuxu-t61 LAB]# rpm -Uvh –nodeps dynagen-0.11.0-1.noarch.rpm
warning: dynagen-0.11.0-1.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 990dd808
Preparing…########################################### [100%]
1:dynagen########################################### [100%]

[root@xuxu-t61 LAB]# rpm -Uvh –nodeps pemu-0.0.1-20070420.i386.rpm
warning: pemu-0.0.1-20070420.i386.rpm: Header V3 DSA signature: NOKEY, key ID 990dd808
Preparing…########################################### [100%]
1:pemu########################################### [100%]

[root@xuxu-t61 LAB]# service dynamips start [OK]

[root@xuxu-t61 LAB]# service pemu start [OK]

3) Ran dynagen

[root@xuxu-t61 TEST]# dynagen test.net
Reading configuration file…

Network successfully loaded

Dynagen management console for Dynamips and Pemuwrapper 0.11.0
Copyright (c) 2005-2007 Greg Anuzelli, contributions Pavel Skovajsa

=> list
Name          Type          State          Server                Console
R1               3660          stopped      localhost:7200   2001
R2               3660          stopped      localhost:7200   2002
FW1            525            stopped      localhost:10525 4001
SW              ETHSW      always on   localhost:7200   n/a
=> start FW1
100-PEMU ‘FW1′ started

4) Started ‘cpulimit’ to avoid CPU saturation by pemu

[root@xuxu-t61 ~]# ps aux | grep pemu
root 3561 0.2 0.2 21756 5692 pts/0 Sl 13:33 0:00 python /usr/bin/pemuwrapper.py
root 3687 90.2 7.6 177464 156936 pts/0 RN 13:35 0:07 /var/lib/pemu/pemu_public_bin2008-03-04/pemu -net nic,vlan=0,macaddr=00:00:ab:95:e5:00 -net udp,vlan=0,sport=33000,dport=10004,daddr=127.0.0.1 -net nic,vlan=1,macaddr=00:00:ab:95:e5:01 -net udp,vlan=1,sport=33001,dport=10005,daddr=127.0.0.1 -net nic,vlan=2,macaddr=00:00:ab:cd:ef:02 -net nic,vlan=3,macaddr=00:00:ab:cd:ef:03 -net nic,vlan=4,macaddr=00:00:ab:cd:ef:04 -net nic,vlan=5,macaddr=00:00:ab:cd:ef:05 -serial telnet::4001,server,nowait -m 128 FLASH
root 3694 0.0 0.0 4120 696 pts/1 S+ 13:35 0:00 grep pemu

[root@xuxu-t61 ~]# cpulimit -e /var/lib/pemu/pemu_public_bin2008-03-04/pemu -l 45
Process 3687 detected

5) Prepped asa724-k8.bin file for usage

[root@xuxu-t61 TEST]# hexdump -C asa724-k8.bin > asa724-k8.hd

[root@xuxu-t61 TEST]# grep “50 4b 03 04 14″ asa724-k8.hd
00017000 50 4b 03 04 14 00 00 00 08 00 32 6e 86 38 03 4c  |PK……..2n.8.L|

(The hex code ‘50 4b 03 04 14′ denotes PKZip compression)

[root@xuxu-t61 TEST]# ls -la asa724-k8.bin
-rw-r–r– 1 root root 8515584 2008-10-20 17:25 asa724-k8.bin

[root@xuxu-t61 TEST]# perl -e ‘$x=8515584-0×17000;print “$x\n”‘
8421376

[root@xuxu-t61 TEST]# tail -c 8421376 asa724-k8.bin > asa724.bin.zip

[root@xuxu-t61 TEST]# unzip asa724.bin.zip
Archive:  asa724.bin.zip
warning:  skipped “../” path component(s) in ../target/f1/pix
inflating: target/f1/pix

[root@xuxu-t61 TEST]# cp -v target/f1/pix /var/lib/pemu/images/target/f1/pix
cp: overwrite `/var/lib/pemu/images/target/f1/pix’? yes
`target/f1/pix’ -> `/var/lib/pemu/images/target/f1/pix’

6) Tested ASA emulator

[root@xuxu-t61 ~]# telnet localhost 4001
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.

pixfirewall>

If you extracted the files as noted by the article, you’ll notice the PIX name references in the directory structure.  I specifically used the asa724-k8.bin file myself and ended up with the same result.

pixfirewall# sh ver

Cisco PIX Security Appliance Software Version 7.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is “Unknown, monitor mode tftp booted image”
Config file at boot was “startup-config”

pixfirewall up 4 mins 33 secs

Hardware: PIX-525, 128 MB RAM, CPU Pentium II 1 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0: address is 0000.abee.f300, irq 9
1: Ext: Ethernet1: address is 0000.abee.f301, irq 11
2: Ext: Ethernet2: address is 0000.abee.f302, irq 11
3: Ext: Ethernet3: address is 0000.abee.f303, irq 11
4: Ext: Ethernet4: address is 0000.abcd.ef04, irq 11
The Running Activation Key is not valid, using default settings:

Licensed features for this platform:
Maximum Physical Interfaces: 6
Maximum VLANs: 25
Inside Hosts: Unlimited
Failover: Disabled
VPN-DES: Disabled
VPN-3DES-AES: Disabled
Cut-through Proxy: Enabled
Guards: Enabled
URL Filtering: Enabled
Security Contexts: 0
GTP/GPRS: Disabled
VPN Peers: Unlimited

This platform has a Restricted (R) license.

Serial Number: 123456789
Running Activation Key: 0×00000000 0×00000000 0×00000000 0×00000000 0×00000000
Configuration has not been modified since last system restart.
pixfirewall#

In case you are wondering what my test.net file looks like, here it is:

[root@xuxu-t61 TEST]# cat test.net

autostart = false
[localhost:7200]

workingdir = /home/r0ckwell/LAB/TEST
[[3660]]
image = /home/r0ckwell/LAB/TEST/3600img.bin
ram = 96
idlepc = 0×60438e60
disk0 = 0
disk1 = 0
mmap = true
ghostios = true
sparsemem = true

[[ROUTER R1]]
autostart = false
model = 3660
console = 2001
F0/0 = SW 1

[[ROUTER R2]]
autostart = false
model = 3660
console = 2002
F0/0 = SW 2

[[ETHSW SW]]
1 = dot1q 99
2 = dot1q 99
11 = dot1q 99
12 = dot1q 99

[pemu localhost]

[[525]]
serial = 123456789
key = 0xffffffff,0xffffffff,0xffffffff,0xffffffff

image = /var/lib/pemu/images/target/f1/pix

[[FW FW1]]
autostart = false
console = 4001
E0 = SW 11
E1 = SW 12

As I attempted to install the vpnclient on my new 64-bit Lenovo T61, I ran installation errors:

Making module
make -C /lib/modules/2.6.25.11-97.fc9.x86_64/build SUBDIRS=/home/r0ckwell/Download/vpnclient modules
make[1]: Entering directory `/usr/src/kernels/2.6.25.11-97.fc9.x86_64′
scripts/Makefile.build:46: *** CFLAGS was changed in “/home/r0ckwell/Download/vpnclient/Makefile”. Fix it to use EXTRA_CFLAGS.  Stop.
make[1]: *** [_module_/home/r0ckwell/Download/vpnclient] Error 2
make[1]: Leaving directory `/usr/src/kernels/2.6.25.11-97.fc9.x86_64′
make: *** [default] Error 2
Failed to make module “cisco_ipsec.ko”.

After googling around, I found a blog created by Lamnk that corrected the errors.  Basically, you need to download 2 patches and edit the Makefile.  Just follow the procedure he’s outlined on his site and you should be fine.

What is MK3?  Refer back to my posting, ASA Emulator with Qemu.

Now that you are caught up, you may be thinking that MK3 is just a Windows variant and Cisco’s vpnclient should work.  Well, it didn’t at first (and neither did version 5.0.03.0530).  The 4.8 version installed about 99.9% away before telling me it failed.  What’s nice about the 4.8 version is it doesn’t rollback and remove the files it installed on the system.  The .01% that was unable finish had to do with starting the ‘Cisco Systems, Inc VPN Service’.  Even if you are asked to reboot your system, the system won’t be started and will give you an error 1053.

After Googling around, I found that verion 4.8.02.0010 requires MSVCIRT.DLL in your c:\windows\system32 directory.  Once that was present, I was able to start the service and start using the client to connect into my networks.

(In case you are wondering, after you’ve successfully installed version 4.8 and try to upgrade to version 5.0, it will fail).

Now that most of my TV shows are done for the season, I can finally get back into studying mode and really start focusing on my next form of torture. For the past few weeks and months I’ve just been maintaining a base knowledge of the Service Provider material, particularly MPLS, but never really embracing or absorbing the knowledge. When you aren’t really pressured to achieve a goal, your sense of urgency is much more relaxed and almost non-existent.

A little more than a year ago, I wrote about the ‘PIX Emulator with Qemu‘ posting. Since then I’ve only touched the emulator once on my machine, but have found through reading various forums that it has evolved and now supports ASA. The only way for me to really tell was to try and build another emulated instance for myself.

For my 1st attempt, I installed a vmware session running CentOS Server v4.6 to use as my base install, but as soon as I tried to run Qemu, I ending up hosing the instance because Qemu wants to run its’ own version of vmlinuz. I read that I could use a mounted USB drive to separate the vmlinuz files, but I wanted to keep the hardware aspect of the installation down to a minimum and just use a single folder on my drive. For my 2nd attempt, I ran a clean install of Windows XP and Qemu worked fine. The only issue I had with running this XP instance was it felt bloated. For my 3rd attempt, I ran Qemu in a Windows 2003 Web Edition version which seemed a tad bit faster than XP. In a linux world, if I had a vmware session running in runlevel3, memory usage would be fine-tuned and performance wouldn’t even be an issue. I was determined I could find a faster Windows solution.

Digging around a bit, I found 2 modified versions of Windows, TinyXP and Micro2003 (MK3), created by eXPerience. You really have to search for each one, but when you find the ISOs off bittorrent you will be very pleased with the results. For my 4th attempt I chose to use MK3 since the ISO was only 100MB. This version of Windows is completely stripped down of unnecessary dll files and services and boots up in less than 5 minutes. Someone at MS should take notes because this is how their OS should operate.

To start, I created a vmware session as depicted below.

You’ll notice that I installed a USB Controller with this vmware session. The file list below can be downloaded in advance to save some time and just copied from a USB drive. It’s up to you.

Once your MK3 installation is loaded, proceed to Google and download the files within the session:

WinPcap_4_0_2.exe –> WinPcap libraries are necessary for Dynamips and Dynagen.
dynagen-0.11.0_win_setup.exe –> If you plan on tying routers and switches to your ASA, you’ll need this.
npptools.zip –> This file is necessary for running ‘dynamips -e’ later to determine your interfaces. Once you find it, copy it to your C:\Windows\System folder.
Firefox Setup 2.0.0.14.exe –> Opera comes installed in MK3 but will become problematic once npptools.dll is added to your Windows directory.
3cdv2r10.zip –> 3CDAEMON application or any other TFTP program you would like to use.
wrar371.exe –> You’ll need this to extract the asa.zip file.
asa.zip –> You need to register a userid at the Hacki forum. Go to the ‘HOWTOs‘ forum and look for ThumperCisco’s article “How to Run Cisco ASA on Windows” where you’ll find the asa.zip or qemu.zip files.
putty.exe –> MK3 doesn’t come with telnet.exe so you’ll need one.

To speed up the vmware interfaces, edit your .vmx file and add:

ethernet0.virtualDev = “e1000″
ethernet1.virtualDev = “e1000″

To continue, you should watch the video ‘Emulating 2 ASAs with Active/Active key on Windows XP‘ created by Anderson Alves. If you don’t feel like watching the video, here’s a brief summary of the steps that I remembered:

1. Created 3 MS loopback adapters and renamed them to Lo1, Lo2, and Lo3 respectively
2. Extracted asa.zip to a folder
3. Ran ‘dynamips -e’ to figure out the NPF values my loopback adapters
4. Edited the ASA-nolina_WIN.bat file:

@echo off
ECHO Telnet to 127.0.0.1 on port 1234 to access ASA Console
ECHO ——————————————————
ECHO * * * * * * * *DO NOT CLOSE THIS WINDOW* * * * * * * *
qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-nolina.gz -m 256 –no-kqemu -append “auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32″ -net nic,vlan=0,model=pcnet,macaddr=00:aa:00:00:01:01 -net pcap,vlan=0,ifname=\Device\NPF_{73E6A630-EF98-4CBB-8C30-A60FA09DF59F} -net nic,vlan=1,model=pcnet,macaddr=00:aa:00:00:01:02 -net pcap,vlan=1,ifname=\Device\NPF_{8588A37C-458A-4E0F-84B9-92900F7D46AA} -net nic,vlan=2,model=pcnet,macaddr=00:aa:00:00:01:03 -net pcap,vlan=2,ifname=\Device\NPF_{837D83B9-3C96-4E21-A860-50FBA9134EDD} -net nic,vlan=3,model=pcnet,macaddr=00:aa:00:00:01:04 -net pcap,vlan=3,ifname=\Device\NPF_{6BAB0ACC-7806-4F33-8877-9C5804931194} -serial telnet::1234,server,nowait

5. Ran ASA-nolina_WIN.bat

6. Telnetted to 127.0.0.1 port 1234 in putty

7. Putty will appear blank, hit <Enter> to go to the #-prompt

8. Turn up your interfaces:

# ifconfig eth0 up
# ifconfig eth1 up
# ifconfig eth2 up

9. Change to where the files are:

# cd /mnt/disk0

10. Run your emulated ASA:

# ./lina_monitor

If you want to downgrade or upgrade your ASA, you need to create your own FLASH1 file. Just Google around and find the procedure.