Cisco ASA in GNS3: Possible Scenarios and Related Bugs
More than one article was devoted to the GNS3 emulator, and I think that many who work with Cisco equipment faced with the need to run network equipment in a virtual environment to check topologies and solutions of interest, when debugging non-working configurations, or just preparing for certification or learning a particular technology.
The latest versions of GNS3 have the ability to emulate a device like the Cisco ASA. This device is a multifunctional firewall, can work in various modes (routed / transparent; single / multiple context), used in fault-tolerant configurations (active / standby; active / active), etc. The article presents test results and conclusions on how fully this functionality is supported when virtualizing this device in GNS3.
I hope that this article will help you decide whether to emulate this or that topology in GNS3, and also save time when debugging your solution in a virtual environment.
Initial data
Testing was conducted using the following tools:
1. Windows Server 2003 R2 Standard Virtual Machine (Intel Xeon E5420 2.50GHz, 4Gb RAM);
2. Emulator GNS3 v.0.7.4;
3. Cisco ASA 8.0 OS Image (2);
4. Cisco ASDM 6.4 (5) graphics management and monitoring tool;
5. Cisco IOS OS image for routers 3725 (c3725-adventerprisek9-mz.124-25d);
6. Cisco ACS 4.2 Access Control Server;
7. FTP-, TFTP-, syslog-server based on 3CDaemon.
')
Test topologies and verification techniques were taken from the first workbook (WB) of Internetwork Expert (INE) to prepare for CCIE Security. I will omit the tasks and description of the technologies being tested, leaving only the results.
A description of how to run Cisco ASA in GNS3 can be found at the links - in English , and even in Russian .
In the first test, the Cisco ASA firewall (hereinafter referred to as MU) was launched in routed and single modes (without support for virtual contexts).
The topology is shown in the figure:
As part of these checks, the work of dynamic routing protocols (RIP, OSPF, EIGRP), redistribution, IP SLA tracking was checked.
In cases where there was a need for a managed switch, a Cisco 3725 router with an NM-16ESW module was used.
A list of unsupported L2 functions when using the NM-16ESW module is provided on the official website .
The command line interface is slightly different from the Cisco Catalyst switches. Be careful.
Actually, the tasks described in WB1 INE did not cause any problems with Cisco ASA emulation. And in general, looking ahead, I’ll say that only routed / single modes work more or less fully in GNS3 at the moment.
However, at this stage a number of auxiliary bugs appeared. Perhaps the word "bug" does not quite correctly reflect the difficulties and errors that occurred during emulation, however, for the purposes of unity of classification, I will use it.
Bug number 1. The need to reboot the Cisco ASA after setting the base configuration in case switching was performed after the device started. Otherwise, the connectivity was not established, the devices did not see each other.
Bug number 2. In general, this is not a bug, but a feature of the basic GNS3 settings. Because on the machine where GNS3 was started, Cisco ACS4.2 was installed, then ports 2000-2002 were listened directly by ACS itself. And GNS3 uses ports from 2000 as default console ports for routers. Therefore, be careful, you need to change these ports when adding a router.
Bug number 3. The configuration of routers after turning off and turning on GNS3 is not saved. This bug was observed in older versions of GNS3 on some IOS images, particularly when working with the 3700 series routers. In the current version, I have no problems working with the 3725, but there is information that the problem remains with 3745 ... Although everything is possible here depends on the emulated image. In general, if someone collides, you can try to solve this problem in this way.
In the second test, the DOE Cisco ASA also started in routed, single modes.
In this test, we checked the operation of access lists (ACLs), various variants of NAT (dynamic NAT, PAT; static NAT, PAT; dynamic policy NAT, static policy NAT, PAT; Identity NAT; NAT Exemption; Outside Dynamic NAT), the ability to control using ASDM, DNS Doctoring function, processing of fragmented traffic, passing BGP connections through ME, multicasting, NTP operation, event logging (syslog, SNMP), ME operation as a DHCP server, policing and shaping.
Small difficulties have arisen with management with the help of ASDM (you can watch video instructions on how to set up ASDM operation in GNS3). After enabling the ASDM, the device log is filled up with the following messages:
which somewhat complicates debugging. You can use filters, or disable the logging of this message altogether (
Of the critical flaws:
Bug number 4. DOE Cisco ASA as a DHCP server in a GNS3 environment does not work.
In the third test, the work of ME in a transparent mode was checked. ASA in transparent mode can use only two interfaces (in single mode) for data transfer (and one dedicated interface for control traffic), despite the fact that it may have more interfaces.
In this mode, full-fledged work of Cisco ASA in the GNS3 environment is not supported. The Mgmt interface is available when checking from routers, but traffic through the firewall does not pass, despite the fact that attempts to establish a connection are displayed on the firewall.
Actually because of this, it was not possible to verify the operation of such mechanisms as ARP Inspection, Ethertype ACL, Transparent Firewall NAT.
Bug number 5. Transparent mode in Cisco ASA in GNS3 environment is not supported.
In this mode, two virtual contexts were created: CustomerA, CustomerB.
Interfaces used by the CustomerA context: E0 / 1.121 (InsideA), E0 / 2 (DMZ), E0 / 0 (Outside)
Interfaces used by the CustomerB context: E0 / 1.122 (InsideB), E0 / 2 (DMZ), E0 / 0 (Outside)
The DMZ and Outside interfaces are divided between contexts.
In GNS3, this mode will be supported only when the
If your script does not use network address translation, you will not be able to use the same IP and MAC on a shared interface in several contexts.
Bug number 6. The use of virtual contexts is possible only when the
In this mode, only one device is active, the second is in a passive state. The devices synchronize the configuration with each other, as well as the table of connection states, which allows in case of failure of the active part not to break the already established connections.
During the test, router R1 established a telnet connection to router R2, after which a failure was simulated (by turning off the switch port SW1 connected to the active ME). Logically, the failover pair should switch, the telnet connection should continue to work, because between the ME is configured statefull-link.
However, in the GNS3 virtual environment, the result was different. The failover pair switching occurred, but the telnet session was interrupted. Moreover, traffic through firewalls stopped going altogether. This is due to the fact that, despite the fact that the active part has changed, the cluster continued to respond to ARP requests with the MAC address of the first firewall (although it has already switched to passive mode). After a complete reboot of the cluster pair, the situation has not changed.
Bug number 7. Cisco ASA in Active / Standby failover mode, after switching the active device to passive, ceases to pass traffic through itself due to incorrect responses to ARP requests.
As far as I know, such a problem does not arise when emulating Cisco PIX 7 versions. Therefore, if necessary, use this solution.
In this mode, both devices are active. This is achieved by using several virtual contexts, some of which are active on one part of the cluster, and some on the other.
The check was planned similar to that described in the previous paragraph. However, it ended somewhat earlier. The reason is as follows: the devices are united in a cluster, but the traffic does not pass through it, because in the fault-tolerant Active / Active configuration, virtual mac-addresses are used.
Bug number 8. Traffic does not pass through the Cisco ASA cluster in Active / Active failover mode.
In the last test, a scheme with redundant interfaces on the Cisco ASA was assembled, which allows you to combine several physical interfaces into a logical one. In this case, only one interface is active, the second is activated only after the first one fails.
The test disconnected the port of the switch connected to the active ASA interface. After detecting the failure, the second interface of the ME should be active. However, in the GNS3 environment, the DOE did not detect for its part the disabling of the port on the switch, and accordingly the non-working interface continued to be in an active state.
Bug number 9. Switching of the redundant interface does not occur when a physical connection fails on a neighboring device.
Tests have shown that not all Cisco ASA Modes in GNS3 are fully supported. Least of all problems arose when using routed, single mode modes. In general, this mode is the most popular and most complete in terms of functionality. In transparent mode, to achieve correct operation of the firewall failed.
The mode using virtual contexts is possible in GNS3, but under the condition that the virtual mac-address generation function is disabled, which will not allow implementing a number of scenarios when working with Cisco ASA.
If your goal is to test the merging of two ASA devices into a failover cluster, then you can use GNS3. However, in the case of Active / Standby mode, the traffic will not pass through the cluster pair when switching (in case of failure), and in the case of Active / Active in all cases.
The situation similar to that with the Active / Standby mode occurs when using redundant interfaces. If the active interface fails, traffic through the ASA will not pass.
I note that all configurations used in the tests were tested on real equipment and worked without any complaints.
Perhaps there are ways to fully launch one or another Cisco ASA mode in GNS3, in which case you can arrange a disclosure session and share this knowledge in the comments.
If for someone this solution is new, then you can get to know him on the official website - and also watch a “small” 40-minute video from the well-known author of textbooks CBT Nuggets to prepare for Cisco exams - Jeremy Cioara.
The latest versions of GNS3 have the ability to emulate a device like the Cisco ASA. This device is a multifunctional firewall, can work in various modes (routed / transparent; single / multiple context), used in fault-tolerant configurations (active / standby; active / active), etc. The article presents test results and conclusions on how fully this functionality is supported when virtualizing this device in GNS3.
I hope that this article will help you decide whether to emulate this or that topology in GNS3, and also save time when debugging your solution in a virtual environment.
Initial data
Testing was conducted using the following tools:
1. Windows Server 2003 R2 Standard Virtual Machine (Intel Xeon E5420 2.50GHz, 4Gb RAM);
2. Emulator GNS3 v.0.7.4;
3. Cisco ASA 8.0 OS Image (2);
4. Cisco ASDM 6.4 (5) graphics management and monitoring tool;
5. Cisco IOS OS image for routers 3725 (c3725-adventerprisek9-mz.124-25d);
6. Cisco ACS 4.2 Access Control Server;
7. FTP-, TFTP-, syslog-server based on 3CDaemon.
')
Test topologies and verification techniques were taken from the first workbook (WB) of Internetwork Expert (INE) to prepare for CCIE Security. I will omit the tasks and description of the technologies being tested, leaving only the results.
A description of how to run Cisco ASA in GNS3 can be found at the links - in English , and even in Russian .
Test Topologies and Validations
1. Dynamic routing
In the first test, the Cisco ASA firewall (hereinafter referred to as MU) was launched in routed and single modes (without support for virtual contexts).
The topology is shown in the figure:
As part of these checks, the work of dynamic routing protocols (RIP, OSPF, EIGRP), redistribution, IP SLA tracking was checked.
In cases where there was a need for a managed switch, a Cisco 3725 router with an NM-16ESW module was used.
A list of unsupported L2 functions when using the NM-16ESW module is provided on the official website .
The command line interface is slightly different from the Cisco Catalyst switches. Be careful.
Actually, the tasks described in WB1 INE did not cause any problems with Cisco ASA emulation. And in general, looking ahead, I’ll say that only routed / single modes work more or less fully in GNS3 at the moment.
However, at this stage a number of auxiliary bugs appeared. Perhaps the word "bug" does not quite correctly reflect the difficulties and errors that occurred during emulation, however, for the purposes of unity of classification, I will use it.
Bug number 1. The need to reboot the Cisco ASA after setting the base configuration in case switching was performed after the device started. Otherwise, the connectivity was not established, the devices did not see each other.
Bug number 2. In general, this is not a bug, but a feature of the basic GNS3 settings. Because on the machine where GNS3 was started, Cisco ACS4.2 was installed, then ports 2000-2002 were listened directly by ACS itself. And GNS3 uses ports from 2000 as default console ports for routers. Therefore, be careful, you need to change these ports when adding a router.
Bug number 3. The configuration of routers after turning off and turning on GNS3 is not saved. This bug was observed in older versions of GNS3 on some IOS images, particularly when working with the 3700 series routers. In the current version, I have no problems working with the 3725, but there is information that the problem remains with 3745 ... Although everything is possible here depends on the emulated image. In general, if someone collides, you can try to solve this problem in this way.
2. Network settings
In the second test, the DOE Cisco ASA also started in routed, single modes.
In this test, we checked the operation of access lists (ACLs), various variants of NAT (dynamic NAT, PAT; static NAT, PAT; dynamic policy NAT, static policy NAT, PAT; Identity NAT; NAT Exemption; Outside Dynamic NAT), the ability to control using ASDM, DNS Doctoring function, processing of fragmented traffic, passing BGP connections through ME, multicasting, NTP operation, event logging (syslog, SNMP), ME operation as a DHCP server, policing and shaping.
Small difficulties have arisen with management with the help of ASDM (you can watch video instructions on how to set up ASDM operation in GNS3). After enabling the ASDM, the device log is filled up with the following messages:
%ASA-5-402128: CRYPTO: An attempt to allocate a large memory block
failed, size: size, limit: limitwhich somewhat complicates debugging. You can use filters, or disable the logging of this message altogether (
no logging message 402128 ).Of the critical flaws:
Bug number 4. DOE Cisco ASA as a DHCP server in a GNS3 environment does not work.
3. Cisco ASA in Transparent mode
In the third test, the work of ME in a transparent mode was checked. ASA in transparent mode can use only two interfaces (in single mode) for data transfer (and one dedicated interface for control traffic), despite the fact that it may have more interfaces.
In this mode, full-fledged work of Cisco ASA in the GNS3 environment is not supported. The Mgmt interface is available when checking from routers, but traffic through the firewall does not pass, despite the fact that attempts to establish a connection are displayed on the firewall.
Actually because of this, it was not possible to verify the operation of such mechanisms as ARP Inspection, Ethertype ACL, Transparent Firewall NAT.
Bug number 5. Transparent mode in Cisco ASA in GNS3 environment is not supported.
4. Cisco ASA in Virtual Contexts Mode
In this mode, two virtual contexts were created: CustomerA, CustomerB.
Interfaces used by the CustomerA context: E0 / 1.121 (InsideA), E0 / 2 (DMZ), E0 / 0 (Outside)
Interfaces used by the CustomerB context: E0 / 1.122 (InsideB), E0 / 2 (DMZ), E0 / 0 (Outside)
The DMZ and Outside interfaces are divided between contexts.
In GNS3, this mode will be supported only when the
mac-address auto command is disabled ( no mac-address auto ). This command generates a virtual mac-address on a shared interface for each context. Virtual mac is one of the criteria for classifying a package for delivery to the desired context. Therefore, when disabled, other criteria for classification will be used (entries in active NAT translations).If your script does not use network address translation, you will not be able to use the same IP and MAC on a shared interface in several contexts.
Bug number 6. The use of virtual contexts is possible only when the
mac-address auto command is disabled, which imposes restrictions on the possible deployment scenarios of a Cisco ASA ME.5. Failover configuration in Active / Standby mode
In this mode, only one device is active, the second is in a passive state. The devices synchronize the configuration with each other, as well as the table of connection states, which allows in case of failure of the active part not to break the already established connections.
During the test, router R1 established a telnet connection to router R2, after which a failure was simulated (by turning off the switch port SW1 connected to the active ME). Logically, the failover pair should switch, the telnet connection should continue to work, because between the ME is configured statefull-link.
However, in the GNS3 virtual environment, the result was different. The failover pair switching occurred, but the telnet session was interrupted. Moreover, traffic through firewalls stopped going altogether. This is due to the fact that, despite the fact that the active part has changed, the cluster continued to respond to ARP requests with the MAC address of the first firewall (although it has already switched to passive mode). After a complete reboot of the cluster pair, the situation has not changed.
Bug number 7. Cisco ASA in Active / Standby failover mode, after switching the active device to passive, ceases to pass traffic through itself due to incorrect responses to ARP requests.
As far as I know, such a problem does not arise when emulating Cisco PIX 7 versions. Therefore, if necessary, use this solution.
6. Failsafe configuration in Active / Active mode
In this mode, both devices are active. This is achieved by using several virtual contexts, some of which are active on one part of the cluster, and some on the other.
The check was planned similar to that described in the previous paragraph. However, it ended somewhat earlier. The reason is as follows: the devices are united in a cluster, but the traffic does not pass through it, because in the fault-tolerant Active / Active configuration, virtual mac-addresses are used.
Bug number 8. Traffic does not pass through the Cisco ASA cluster in Active / Active failover mode.
7. Redundant interfaces
In the last test, a scheme with redundant interfaces on the Cisco ASA was assembled, which allows you to combine several physical interfaces into a logical one. In this case, only one interface is active, the second is activated only after the first one fails.
The test disconnected the port of the switch connected to the active ASA interface. After detecting the failure, the second interface of the ME should be active. However, in the GNS3 environment, the DOE did not detect for its part the disabling of the port on the switch, and accordingly the non-working interface continued to be in an active state.
Bug number 9. Switching of the redundant interface does not occur when a physical connection fails on a neighboring device.
findings
Tests have shown that not all Cisco ASA Modes in GNS3 are fully supported. Least of all problems arose when using routed, single mode modes. In general, this mode is the most popular and most complete in terms of functionality. In transparent mode, to achieve correct operation of the firewall failed.
The mode using virtual contexts is possible in GNS3, but under the condition that the virtual mac-address generation function is disabled, which will not allow implementing a number of scenarios when working with Cisco ASA.
If your goal is to test the merging of two ASA devices into a failover cluster, then you can use GNS3. However, in the case of Active / Standby mode, the traffic will not pass through the cluster pair when switching (in case of failure), and in the case of Active / Active in all cases.
The situation similar to that with the Active / Standby mode occurs when using redundant interfaces. If the active interface fails, traffic through the ASA will not pass.
I note that all configurations used in the tests were tested on real equipment and worked without any complaints.
Perhaps there are ways to fully launch one or another Cisco ASA mode in GNS3, in which case you can arrange a disclosure session and share this knowledge in the comments.
If for someone this solution is new, then you can get to know him on the official website - and also watch a “small” 40-minute video from the well-known author of textbooks CBT Nuggets to prepare for Cisco exams - Jeremy Cioara.
Source: https://habr.com/ru/post/134188/
All Articles