Virtualizando cisco asa 55xx

Esta vez toca ampliar el laboratorio de prácticas de networking… ya tengo varios routers virtuales mikrotik, pero nunca había podido hacer un cisco asa.

Hay que decir, que no es legal, no está soportado por cisco y que cada uno que haga lo que quiera….

Yo lo he usado para practicar el cambio que ha hecho cisco; de la versión 8.2.x a la 8.3 en adelante, ha modificado todo el tema de nat y

La guia original aqui

Primero de todo, nos bajamos la versión 8.4.2 de cisco asa, junto con el ASDM

http://software.cisco.com/download/release.html?mdfid=280582808&softwareid=280775065&release=9.2.1.ED

Luego nos bajamos el script que extrae los ficheros de imagen y nos hace la ISO:

https://gist.github.com/anonymous/c3225054e6681a39be16

Para preparar la ISO, tengo una fedora x86 y los siguientes paquetes:

vim-minimal vim-common mkisofs

Y los instalamos tal que así:

yum -y install vim-minimal vim-common mkisofs

Yo, modifiqué el script para que el firewall arranque solo y tenga que darle al intro cada vez que se reinicia…. aquí cada uno que haga lo que quiera:


#!/bin/bash
# FILENAME: repack.v4.1.sh
# AUTHOR: dmz
# SOURCE: http://7200emu.hacki.at/viewtopic.php?t=9074
# DISCLAIMER: All information provided here are solely for self-education and investigation purposes. Provided AS-IS without any warranties.

VERSION=4.1

IMAGE=$1
CWD=`pwd`
[ -z "$IMAGE" ] && IMAGE=$CWD/asa842-k8.bin

echo "Repack script version: $VERSION"

if [ ! -f "$IMAGE" ]; then
echo "USAGE: repack.sh /path/to/asa/image"
exit 1;
fi

XXD=`which xxd`
ISOLINUX_BIN=/usr/share/syslinux/isolinux.bin
MKISOFS=`which mkisofs`

if [ ! -x "$XXD" ]; then
echo "ERROR: xxd command not found"
echo "Install 'vim' or 'vim-enhanced' package to get it"
exit 1;
fi

CREATEISO=no

if [ -x "$MKISOFS" -a -e "$ISOLINUX_BIN" ]; then
echo "Detected syslinux/cdrtools - ISO will be created"
CREATEISO=yes
else
echo "no syslinux/cdrtools - ISO creation skipped"
fi

BASE_NAME=`basename "$IMAGE"`
case "$BASE_NAME" in
'asa842-k8.bin') # ASA 8.4(2)
dd skip=102400 if="$IMAGE" of="$CWD/asa842-vmlinuz" bs=1 count=1359344
dd skip=1461744 if="$IMAGE" of="$CWD/asa842-initrd-original.gz" bs=1
TMP_DIR=`mktemp -d`
pushd $TMP_DIR
gunzip -c "$CWD/asa842-initrd-original.gz" | cpio -i --no-absolute-filenames --make-directories
find . | cpio -o -H newc | gzip -9 > "$CWD/asa842-initrd-original.gz"
sed -i -e "s/(VERBOSE=).*/1yes/" etc/init.d/rcS
sed -i -e "s/echo -n/echo/" etc/init.d/S10udev
sed -i -e "s#^fi$#fingrep -q shell /proc/cmdlinen[ $? == 0 ] && echo '/bin/sh' >> /tmp/run_cmd#" asa/scripts/rcS
sed -i -e "/mount/d" asa/scripts/format_flash.sh
sed -i -e "s#mount=0#if [ ! -e /dev/hda1 ]; then /asa/scripts/format_flash.sh /dev/hda1 0 0 /dev/hda; finmount=0#" asa/scripts/rcS.common
xxd -r -g 2 -c 16 - asa/bin/lina < "$CWD/asa842-initrd.gz"
popd
rm -rf $TMP_DIR
if [ "$CREATEISO" == "yes" ]; then
TMP_DIR=`mktemp -d`
pushd $TMP_DIR
mkdir isolinux
cp $ISOLINUX_BIN isolinux/
cp $CWD/asa842-vmlinuz .
cp $CWD/asa842-initrd.gz .
cp $CWD/asa842-initrd-original.gz .
cat >isolinux/isolinux.cfg <isolinux/boot.txt < is not supported!"
exit 1;
;;
esac

al script, le damos permisos de ejecución :

[root@localhost home]# chmod +x repack.v4.sh

y ahora lo ejecutamos…..

[root@localhost home]# ./repack.v4.sh ./asa842-k8.iso
Repack script version: 4
Detected syslinux/cdrtools - ISO will be created
Version is not supported!
[root@localhost home]# ./repack.v4.sh ./asa842-k8.iso
Repack script version: 4
USAGE: repack.sh /path/to/asa/image
[root@localhost home]# ./repack.v4.sh ./asa842-k8.bin
Repack script version: 4
Detected syslinux/cdrtools - ISO will be created
1359344+0 registros leídos
1359344+0 registros escritos
1359344 bytes (1,4 MB) copiados, 9,43295 s, 144 kB/s

23697936+0 registros leídos
23697936+0 registros escritos
23697936 bytes (24 MB) copiados, 165,249 s, 143 kB/s
/tmp/tmp.mHaYlsi8ln /home

gzip: /home/asa842-initrd-original.gz: decompression OK, trailing garbage ignored
114476 blocks
114476 blocks
114476 blocks
/home
/tmp/tmp.bkRPw31Byc /home
I: -input-charset not specified, using utf-8 (detected in locale settings)
Size of boot image is 4 sectors -> No emulation
21.05% done, estimate finish Fri May 23 22:18:54 2014
42.01% done, estimate finish Fri May 23 22:18:54 2014
63.01% done, estimate finish Fri May 23 22:18:54 2014
83.97% done, estimate finish Fri May 23 22:18:54 2014
Total translation table size: 2048
Total rockridge attributes bytes: 0
Total directory bytes: 2048
Path table size(bytes): 26
Max brk space used 0
23823 extents written (46 MB)
/home

Y ahora, al ver el directorio…

[root@localhost home]# ls -l
total 119496
-rw-r--r--. 1 root root 23518187 may 23 22:18 asa842-initrd.gz
-rw-r--r--. 1 root root 23517694 may 23 22:18 asa842-initrd-original.gz
-rw-r--r--. 1 root root 25159680 may 23 22:12 asa842-k8.bin
-rw-r--r--. 1 root root 1359344 may 23 22:15 asa842-vmlinuz
-rw-r--r--. 1 root root 48789504 may 23 22:18 asa.iso
-rwxr-xr-x. 1 root root 4301 may 23 22:11 repack.v4.sh
[root@localhost home]#

Tenemos el fichero asa.iso, que lo copiaremos a nuestro vmware.

Creamos una máquina virtual con los siguientes requisitos:

1) Disco ide de 256 Mb (no necesitamos más)
2) Tarjetas de red “e1000”
3) 1 sola cpu

Y nos queda tal que:


vmware1

Y ahora, para hacerlo más realista, asignaré el puerto serie a la máquina física:
vmware2

Ahora, arrancamos la máquina y conectamos el puerto serie …. 🙂


asaTest# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 7.2(1)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

asaCraem up 1 day 9 hours

Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB

0: Ext: GigabitEthernet0 : address is 000c.29a2.705e, irq 0
1: Ext: GigabitEthernet1 : address is 000c.29a2.7068, irq 0
2: Ext: GigabitEthernet2 : address is 000c.29a2.7072, irq 0
3: Ext: GigabitEthernet3 : address is 000c.29a2.707c, irq 0
4: Ext: GigabitEthernet4 : address is 000c.29a2.7086, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Disabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration has not been modified since last system restart.

enjoy your virtual asa