Download asa.zip archive and unpack it to any folder. http://rapidshare.com/files/337827123/asa.zip (another I've put on UbuntuOne server). It contains:
- Unpacked image of asa802-k8.bin. We need to unpack .bin file to specify kernel and initrd files to Qemu. The process of unpacking described good here http://blog.gns3.net/2009/12/how-to-emulate-cisco-asa;
- Qemu (patched with pcap support). In Windows we have to get WinPcap installed for Qemu be able to bridge ASA network adapter with OS's interface/interfaces (for example, with MS Loopback interface); In linux we need to compile Qemu with pcap support (need libpcap-dev installed);
- Flash file created with qemu-img (ASA will be using it as disk for file system);
- .bat files with commands for Qemu startup. They include important information about startup options and network adapters, which ASA will use and to which the ASA's interfaces will be bridged. We should mention our virtual or phisycal interfaces to which we want bridge ASA. We can see them with GNS3 cloud or option in GNS3 folder in Start menu (Windows only).
When everything is loaded we need to telnet to it on localhost:1234 and type the following:
- modprobe e100
- ifconfig eth0 up
- ifconfig eth1 up etc.,(depends on how many interfaces we need to use/bridge);
- cd /mnt/disk0
- ./lina_monitor or /asa/bin/lina -m for multicontext mode
Then we should configure it with folowing:
- enable
- configure t
- int eth0/0
- nameif management
- security-level 100
- ip add 192.168.200.2 255.255.255.0 (put it to network of bridged host's adapter)
- no shutdown
- management-access management
Now let's configure ASDM.
Here is a link to ASDM which I was using: ASDM 6.2
In ASA configure the following lines:
- telnet 192.168.200.1 255.255.255.255 management (here is IP address of you interface)
- http server enable
- http 192.168.200.1 255.255.255.255 management
Now, we need to set fiddler to decode HTTPS:
- fiddler --> tools --> fiddler options --> https --> check 'decrypt https traffic'
- Fiddler --> Rules --> Customize Rules (CTRL-R) --> add the code below:
{
if ((oSession.url.EndsWith("/admin/asdm_handler")) || (oSession.url.EndsWith("/admin/pdm.sgz"))){
oSession.bBufferResponse = false;
}
static function OnBeforeResponse(oSession: Session)
{
if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")) {
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5520,');
}
if (oSession.url.EndsWith("/admin/exec/show+version")) {
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5510,');
}
if (oSession.url.EndsWith("/admin/config")){
oSession.utilReplaceInRequest("write mem","copy /noconfirm running-config disk0:/.private/startup-config");
}
if (oSession.url.EndsWith("/admin/exec/write+memory")){
oSession.url.Replace("write+memory","copy+%2Fnoconfirm+running-config+disk0%3A%2F.private%2Fstartup-config");
}
Or download the following js file and replace Fiddler's CustomRules.js with it - http://rapidshare.com/files/337830003/Fiddler_custom_rule.rar.
Also to be able to use 3DES/AES encryption through ASDM, we have to add the following parts to Fiddler .js file:
static function OnBeforeResponse(oSession: Session)
{
if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")) {
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5510,');
oSession.utilReplaceInResponse('3DES-AES : Enabled','VPN-3DES-AES : Enabled');
oSession.utilReplaceInResponse('ADV END SEC : Enabled','Advanced Endpoint Assessment : Enabled');
oSession.utilReplaceInResponse('Serial Number: 123456789AB','Serial Number: JKX1014K074');
oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
}
if (oSession.url.EndsWith("/admin/exec/show+version")) {
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse('Hardware: ,','Hardware: ASA5510,');
oSession.utilReplaceInResponse('3DES-AES : Enabled','VPN-3DES-AES : Enabled');
oSession.utilReplaceInResponse('ADV END SEC : Enabled','Advanced Endpoint Assessment : Enabled');
oSession.utilReplaceInResponse('Serial Number: 123456789AB','Serial Number: JKX1014K074');
oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
}
if (oSession.url.EndsWith("/admin/exec/show+activation-key")) {
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse('Serial Number: 123456789AB','Serial Number: JKX1014K074 ');
oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
oSession.utilReplaceInResponse('Failed to retrieve flash activation key.','Permanent Flash Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
oSession.utilReplaceInResponse('3DES-AES : Enabled','VPN-3DES-AES : Enabled');
oSession.utilReplaceInResponse('ADV END SEC : Enabled','Advanced Endpoint Assessment : Enabled');
}
}
Note, that function OnBeforeResponse is already exists in the file, so we have to add only additional IF statements to it.
The path to file is C:\Documents and Settings\Administrator\My Documents\Fiddler2\Scripts\CustomRules.js
Then we need to change the proxy in Java configuration. Go
- Control Panel - Java - Network Settings - use proxy: localhost:8888 - advanced "use the same proxy server for all protocols"
Now we should copy ASDM .bin to flash of ASA from TFTP server (simple copy tftp flash).
Then try to connect to interface of ASA via browser https. Like https://192.168.200.2/admin
I had a problem with authentication, so it would be reasonably to add user in ASA:
- username igro password cisco privilege 15
P.S. ASDM like SDM works only on older Java versions. I use version 5 (like the last release of old 5).
P.P.S. Some problems exist with saving running-config to startup-config. We should either copy run flash:/.private/startup-config or if it doesn't work, we should use: copy run tftp and then tftp flash:/.private/startup-config. Looks like ASDM saving it without a problem.
Cheers!
hi
ReplyDeleteI am using GNS and virtual machines to study for SNAF and SNAA. Everything was perfect until I need endpoint assessment. I could not get this feature worked until I came across your blog. Now everything is perfect again. thank you for this valuable information.
Thanks for your appreciation!
ReplyDelete