Emulating ASA with Qemu+pcap in Windows

Ok, here I'm going to explain how to emulate Cisco ASA using Qemu in Windows. Actually, there are more than just Qemu+pcap involved in the process, but the basic operations are performed by exactly these programs.Well, let's begin and document the entire process of setup and using ASA with ASDM.
Download asa.zip archive and unpack it to any folder. http://rapidshare.com/files/337827123/asa.zip (another I've put on UbuntuOne server). It contains:

• Unpacked image of asa802-k8.bin. We need to unpack .bin file to specify kernel and initrd files to Qemu. The process of unpacking described good here http://blog.gns3.net/2009/12/how-to-emulate-cisco-asa;
  
• Qemu (patched with pcap support). In Windows we have to get WinPcap installed for Qemu be able to bridge ASA network adapter with OS's interface/interfaces (for example, with MS Loopback interface); In linux we need to compile Qemu with pcap support (need libpcap-dev installed);
  
• Flash file created with qemu-img (ASA will be using it as disk for file system);
• .bat files with commands for Qemu startup. They include important information about startup options and network adapters, which ASA will use and to which the ASA's interfaces will be bridged. We should mention our virtual or phisycal interfaces to which we want bridge ASA. We can see them with GNS3 cloud or option in GNS3 folder in Start menu (Windows only).

We just need to extract files from archive wherever we want and edit ASA-nolina_WIN.bat. We have to include appropriate identifiers of our interfaces (can be seen in GNS3 could or GNS3 menu in Start(Windows only)). Then double-click on .bat file.

When everything is loaded we need to telnet to it on localhost:1234 and type the following:

• modprobe e100
• ifconfig eth0 up
• ifconfig eth1 up etc.,(depends on how many interfaces we need to use/bridge);
• cd /mnt/disk0
• ./lina_monitor  or /asa/bin/lina -m for multicontext mode
  

After that we can see how ASA is loading.
Then we should configure it with folowing:

• enable
• configure t
• int eth0/0
• nameif management
• security-level 100
• ip add 192.168.200.2 255.255.255.0 (put it to network of bridged host's adapter)
• no shutdown
• management-access management

After that we should be able to successfully ping bridged interface of host. If we can't - there is a problem somewhere in configuration.

Now let's configure ASDM.
Here is a link to ASDM which I was using: ASDM 6.2

In ASA configure the following lines:

• telnet 192.168.200.1 255.255.255.255 management (here is IP address of you interface)
• http server enable
• http 192.168.200.1 255.255.255.255 management

The next step is to download and install Fiddler - small http-proxy debugger. It's needed because emulated ASA doesn't know it's real platform and "sh version" shows empty platform, but the ASDM needs to know the platform to function properly. Besides we need it to handle the buffering of http traffic and other stuff - without it we will end up with error message that this version of ASDM isn't supported or something like this.
Now, we need to set fiddler to decode HTTPS:

• fiddler --> tools --> fiddler options --> https --> check 'decrypt https traffic'

Then add a rule to fiddler to change the hardware platform to ASA5520

• Fiddler --> Rules --> Customize Rules (CTRL-R) --> add the code below:

static function OnBeforeRequest(oSession: Session)
    {
         if ((oSession.url.EndsWith("/admin/asdm_handler")) || (oSession.url.EndsWith("/admin/pdm.sgz"))){
            oSession.bBufferResponse = false;
        }
static function OnBeforeResponse(oSession: Session)
    {
         if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")) {
            oSession.utilDecodeResponse();
            oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5520,');
        }
       
        if (oSession.url.EndsWith("/admin/exec/show+version")) {
            oSession.utilDecodeResponse();
            oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5510,');
        }


if (oSession.url.EndsWith("/admin/config")){

            oSession.utilReplaceInRequest("write mem","copy /noconfirm running-config disk0:/.private/startup-config");
        }
        if (oSession.url.EndsWith("/admin/exec/write+memory")){

            oSession.url.Replace("write+memory","copy+%2Fnoconfirm+running-config+disk0%3A%2F.private%2Fstartup-config");
        }

Or download the following js file and replace Fiddler's CustomRules.js with it - http://rapidshare.com/files/337830003/Fiddler_custom_rule.rar.
Also to be able to use 3DES/AES encryption through ASDM, we have to add the following parts to Fiddler .js file:
static function OnBeforeResponse(oSession: Session)
   {
      if (oSession.url.EndsWith("/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context")) {
         oSession.utilDecodeResponse();
         oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5510,');
         oSession.utilReplaceInResponse('3DES-AES                     : Enabled','VPN-3DES-AES                 : Enabled');
         oSession.utilReplaceInResponse('ADV END SEC                  : Enabled','Advanced Endpoint Assessment : Enabled');
         oSession.utilReplaceInResponse('Serial Number: 123456789AB','Serial Number: JKX1014K074');
         oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
    }

      if (oSession.url.EndsWith("/admin/exec/show+version")) {
         oSession.utilDecodeResponse();
         oSession.utilReplaceInResponse('Hardware:   ,','Hardware:   ASA5510,');
         oSession.utilReplaceInResponse('3DES-AES                     : Enabled','VPN-3DES-AES                 : Enabled');
         oSession.utilReplaceInResponse('ADV END SEC                  : Enabled','Advanced Endpoint Assessment : Enabled');
         oSession.utilReplaceInResponse('Serial Number: 123456789AB','Serial Number: JKX1014K074');
         oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');      
         }

      if (oSession.url.EndsWith("/admin/exec/show+activation-key")) {
         oSession.utilDecodeResponse();
         oSession.utilReplaceInResponse('Serial Number:  123456789AB','Serial Number:  JKX1014K074  ');
         oSession.utilReplaceInResponse('Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000','Running Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
         oSession.utilReplaceInResponse('Failed to retrieve flash activation key.','Permanent Flash Activation Key: 0x70192e4e 0x507e3e04 0xa8f2f16c 0x85c40864 0x4907ef91');
         oSession.utilReplaceInResponse('3DES-AES                     : Enabled','VPN-3DES-AES                 : Enabled');
         oSession.utilReplaceInResponse('ADV END SEC                  : Enabled','Advanced Endpoint Assessment : Enabled');
         }

}
Note, that function OnBeforeResponse is already exists in the file, so we have to add only additional IF statements to it.
The path to file is C:\Documents and Settings\Administrator\My Documents\Fiddler2\Scripts\CustomRules.js

Then we need to change the proxy in Java configuration. Go

• Control Panel - Java - Network Settings - use proxy: localhost:8888 - advanced "use the same proxy server for all protocols"
  

Now we should copy ASDM .bin to flash of ASA from TFTP server (simple copy tftp flash).
Then try to connect to interface of ASA via browser https. Like https://192.168.200.2/admin
I had a problem with authentication, so it would be reasonably to add user in ASA:

• username igro password cisco privilege 15

Everything should work fine to this moment.

P.S. ASDM like SDM works only on older Java versions. I use version 5 (like the last release of old 5).
P.P.S. Some problems exist with saving running-config to startup-config. We should either copy run flash:/.private/startup-config or if it doesn't work, we should use: copy run tftp and then tftp flash:/.private/startup-config. Looks like ASDM saving it without a problem.
Cheers!