Configuring GNS3 for CCNASecurity Exam (for Windows)

Software Requirements to Run GNS3From Cisco’s website, here are the minimum requirements for CCP 2.7 and CCP 2.8:

The following info comes from many posts I’ve read, as well as personal experience.Despite meeting the specs Cisco outlines on their website (above), I could not get CCP running with anything but IE11 and Java version 6. Many others were able to get it running with IE9 and Java 6. When I tried to run CCP with Java 7 and IE9, it would give me the following error message (even though I was running something HIGHER than what it was recommending!):

Cisco Configuration Professional requires Internet Explorer Java plug-in 1.6.0_11 or above.

Browser: IE11

Note: From the issues I came across, CCP is always looking for IE when it launches. I set up my PC to use Chrome and Firefox as the default browser and it simply wouldn’t work with anything but IE.

Regardless of the IE browser version you use, you must add your loopback address in Compatibility mode for CCP to work correctly. Open IE and press the Alt key to display the menus at the top. Click on Tools | Compatibility View Settings and add the standard PC loopback address (127.0.0.1) in the “Add this website” field, then click Add:

Java: Java version 6 Update 11 (build 1.6.0_11-b03). Another user in the Cisco Learning Network (Darren Starr) recommended Java 6 Update 45 (stating he’s tested it quite a bit). I list Java 6 update 11 because that is what I had to use to get things working.

Java filename: jre-6u11-windows-i586-p-s.exe

You can search for older Java versions at the following URL (called the “Java Archive”). I can’t recall where I found my file at, as it’s not listed on Oracle’s archivepage. As long as it’s version 6, it “should” work:

http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html

TFTP Server: GNS3 comes with SolarWinds TFTP Server. If you have a favorite tftp server, you can use that too.

Virtual Hardware RequirementsFrom various posts I came across while figuring out how to set up this lab, it seems that you need an 1841 router (or comparable router) running 12.4(20)T1 (or comparable IOS). It must support zone-based firewalls, IPS, and CCP.

ASA 5505 OS version 8.4.(2)

ASDM version 6.4(5) or comparable

You can Google “ ccna security grab-bag.zip” and download most of these files. This zip file contains router IOS, ASA OS, and ASDM software needed for this lab.

Getting the ASA RunningWith GNS3 running, take the following steps to get the ASA booted for the first time:

1. Edit | Preferences.

2. Click on the QEMU arrow to expand it and select QEMU VMs.

3. Click New on the window that appears.

4. In the New QEMU VM window, give it a name and type:

5. In the next window (“QEMU binary and memory”), leave it at its default settings (Qemu Binary and RAM).

6. Browse to the folder that holds the two files needed to boot the ASA (asaXXX-initrd.gz and asaXXX-vmlinuz). The Kernel image it asks for is the file ending in “vmlinuz” (as shown). Once you have selected the two files, click Finish:

7. You should now be back at the main GNS3 interface. In the left-hand column (where the main icons are located), click on the icon highlighted in blue below(which is the “browse security devices” icon). A side panel should pop up to the right with the ASA icon (as shown):

8. At this point, you can drag the ASA to the main “work area” of GNS3 and startit like any other device in GNS3 device.

NOTE: After completing the steps above, I had a problem getting the ASA to boot. It would open Putty, but at the top of the Putty program it said “"network error: connection refused". After Googling, I found the solution. I had to go back into the ASA settings in GNS3 (Edit | Preferences | QEMU | QEMU VMs), click Edit, click on the Advanced settings tab and change the Additional Settings Options to the following string. That fixed this issue:

-vnc none -vga none -m 512 -icount auto -hdachs 980,16,32

Getting the ASDM GUI WorkingA very good tutorial on how to set up ASDM can be found at xerunetworks (URL provided below). I borrowed heavily from this website (with their permission. ThanksMuhammad!) and added some additional info. You can either use the URL below, or the steps I outline right after the URL:

http://www.xerunetworks.com/2012/03/asa-84-asdm-on-gns3-step-by-step-guide/

Adding a Loopback Interface to Your PC This should go without saying, but I’ll say it as a reminder here. Make sure the IP address you configure on the ASA is in the same subnet as your PC’s loopback address.

1. On your PC, click the Start button and enter hdwwiz.exe. In the list of items that’s displayed, you should see hdwwiz.exe. Click hdwwiz.exe to start

hardware wizard (you can also access the hardware wizard through the Control Panel. It’s just easier this way).

2. In the first window that pops up, click Next.

3. Click the radio button shown below, then click Next:

4. Scroll through the list in the next window and select Network Adapters, then click Next.

5. In the next window, select Microsoft in the left-hand window, then Loopback adapter in the right-hand window pane:

6. Click Next again to install the loopback.

7. Click Start and enter Network Connections. Look for “View Network Connections” in the list of items that appears, then click on “View Network Connections”. You should see the loopback you just created.

8. Restart your PC.

Getting the ASDM GUI Working

Creating the Topology1. In GNS3, drag a Cloud icon into your work area.

2. Right-click the Cloud icon and click Configure.

3. In the Node Configurator window, click on Cloud1 (that’s the default namefor the cloud icon. If you changed it, select the name you gave it). You should see something like this:

4. On the NIO Ethernet tab, click the dropdown box and select Local Area Connection corresponding to the loopback interface you created earlier. You can look in Network Connections to determine which one to select. In my

case, the only loopback I had configured was Local Area Connection 3 (as seen below). That’s why I selected this connection in the Cloud 1 Configuration box above:

5. Click Apply, then OK.

6. Drag an Ethernet Switch into your work area (you need this because you can’t make a direct connection between the Cloud and ASA FW).

7. Connect the FW and Cloud to the switch (make a note of which interface you used in the ASA to connect to the switch. You’ll need this info shortly).

8. Start all devices and log into the ASA.

9. Go back to Windows 7 and open “Network and Sharing Centre” (you can just click the Start button and enter sharing. You should see “Network and Sharing Center” and the top of the search results list. Click on “Network and Sharing Center”.

10.In the Networking and Sharing Center window, click on the Local Area Connection that was created when you configured the loopback. In my case, this was Local Area Connection 3:

11.Click on Properties.

12.Double-click Internet Protocol Version 4 (or click it once, then click Properties).

13.Enter the following info int the Properties box, then click OK to back out to theNetwork Sharing window (note: The 10.10.10.3 gateway address shown below is the IP address I configured on the virtual router that I’m using for this lab. You don’t need it to load the ASDM software, since the loopback and ASA are on the same subnet. However, you will need it when trying to accessthe router using CCP).

14.Turn off Windows Firewall (click Start, enter Windows Firewall and click on Windows Firewall from the list of items that pop up in the search results). Thiswill display the Firewall GUI.

15.In the left-hand window panel, click “Turn Windows Firewall on or off”.

16.In the next window, select the radio buttons shown below:

WARNING: Make sure you go back and re-enable Windows Firewall once you have loaded the ASDM software into the ASA, which is explained next:

Configuring the ASA1. Configure the ASA as follows (this assumes you used Gig0 to connect the ASA

to the switch):

ciscoasa# config tciscoasa(config)# int gig0ciscoasa(config-if)# ip address 10.10.10.1 255.255.255.0ciscoasa(config-if)# nameif managementciscoasa(config-if)# no shut

2. From the ASA, verify you can ping 10.10.10.2 (your loopback address). If successful, continue to the next step. If unsuccessful, verify all previous steps.

3. Open the SolarWinds tftp server (or whatever tftp server you are using). In this example, I’ll use SolarWindws.

4. In the SolarWinds TFTP Server interface, click on File | Configure.

5. On the General tab, browse to the location of your ASDM file, click the folder that is holding the ASDM bin file, then click OK. I stored my file in the following folder:

6. Upload the asdm binary file to the ASA (replace the filename shown with whatever filename you are using):

ciscoasa# copy tftp flashAddress or name of remote host []? 10.10.10.2Source filename []? asdm-647.binDestination filename [asdm-647.bin]?Accessing tftp://10.10.10.2/asdm-647.bin…!!!!!!!!!!!!!!!!!!!!!!!!

7. Complete the config to be able to allow the ASDM GUI to talk to the ASA:

ciscoasa# config tciscoasa(config)# asdm image flash:asdm-647.binciscoasa(config)# http server enableciscoasa(config)# http 10.10.10.2 255.255.255.255 managementciscoasa(config)# username cisco password cisco privilege 15 ciscoasa(config)#wr

Yes, you can execute the “write” command in config mode in the ASA!

8. Open your browser and point it to https://10.10.10.1 (if you’re using a proxy, disable it for now). You should see a window like this pop up in a few seconds:

9. Click on “Install ASDM Launcher and Run ASDM”. If you see this warning, clickContinue:

10.Once it completes the install and you tell it to run, you should see the following window. Enter the IP of your loopback interface (which we configured as 10.10.10.1 at the beginning of this doc). The login is cisco / cisco (which is what we configured earlier in the ASA:

11.In the next window, click OK.

12.You should now see the main ASDM GUI:

NOTE: When I installed this software initially, I saw the following error message (instead of the GUI shown above):

After Googling, I came across a post from someone who said the problem is the space between “ASA” and “5520” (they didn’t really say where they were seeing thisat). The recommendation was to downgrade to a previous version of ASDM. I had initially tried asdm-721.bin, but used asdm-647.bin and this fixed the problem.

Here are a few of videos that may help you in setting up ASA and ASDM:

https://www.youtube.com/watch?v=VgoFXwb1QvI

http://www.youtube.com/watch?v=bPIZwtt7ZYE&list=UUZsiAhVMBQxaeoGsuBphb6Q&index=6

http://www.youtube.com/watch?v=moqMN74rekY

Did you remember to re-enable Windows Firewall???

Minimum Router Config for CCPHere’s a video that shows how to configure a Cisco device to communicate with CCP:

http://www.youtube.com/watch?v=uRYo3XBek4E

…but in a nutshell, the basic config to be able to use CCP with a device is below (Note: Typically you would choose either ip http server or ip http secure-server). Youdo not need to set up the vty lines, because CCP is accessing the router using http/s.

username xxx priv 15 secret xxxip http server ip http secure-serverip http authentication local!

Using CCP to Configure a Cisco Device1. After installing CCP, you should have an icon on your desktop named “Cisco

Configuration Professional”. Before you start CCP, you’ll want to make sure you can communicate with the router first. You do this by bringing up a browser window (use IE, as this is what CCP will use).

2. Since we configured both telnet and ssh, you can either use https or http to access the router (I’ll use https in this example). In the IE window, enter https://10.10.10.3/ and press enter. You may get a warning saying “There is a problem with this website’s security certificate.” Ignore it by clicking “Continue to this website (not recommended)”.

3. You will be prompted to log in. Use the local account you set up earlier to log in (which is cisco / cisco for this setup). After you enter your credentials, you will see a basic screen of info. This verifies you can at least communicate withthe router:

4. Start CCP. Once it loads, click Manage Devices at the bottom left of the window.

5. In the Manage Devices window that appears, enter the IP address, username and password of the device you want to connect to. If you want to use https, also click the checkbox to the far right of the line and click the dropdown error to verify which ports it will use:

Do the same thing for each device you want to manage with CCP, then click the checkbox in the lower right-hand corner (labeled Discover all devices). Click OK. Back at the main window, highlight the device you want to access and click Discover (note: The discovery process can take 30-45 seconds!). As it’s trying to discover the device, you will see the status.

Once it’s done (and assuming it was successful), the Discover Status will say Discovered. Once is shows Discovered, you can begin configuring the device using the “Configure” button near the top left-hand corner of the window.

Other Troubleshooting TipsIf you run CCP and only see CCP in about a fourth of the window, try pressing Ctrl+ to expand the windows.

You need to run CCP as Admin. Right-click the CCP icon, click Properties, then click the Compatibility tab. In the bottom left-hand corner, verify the “Run this program as an administrator” is checked.

https://learningnetwork.cisco.com/thread/57763?start=15&tstart=0

http://blog.pluralsight.com/cisco-configuration-professional-installation

https://www.youtube.com/watch?v=VgoFXwb1QvI

Some have said you need to have an IE window already opened before running CCP,but I haven’t ran into that issue. Some also say you need to run CCP with admin privileges. When CCP was installed, it was already configured to run as admin. To check, right-click the CCP icon, click the Compatibility tab, and verify it’s set for “Run as admin”.