Create a Cisco ASA VM in VMware Fusion
[
Tip: Want to use the latest Cisco ASAv with VMware Fusion and Vagrant? http://binarynature.blogspot.com/2016/07/cisco-asav-vagrant-box-for-vmware-fusion.html ]
DISCLAIMER: The information provided herein is for general informational and educational purposes only.
This post provides a solution on how to create a Cisco ASA device in VMware Fusion for the Mac. Why do this? Well, the most documented method to integrate the Cisco ASA with GNS3 is by having it run on the QEMU hypervisor. Since VMware Fusion 6 can integrate with GNS3 (check out my previous post), we now have another hypervisor option to bring the Cisco ASA into the GNS3 environment.
The following components were used for this tutorial:
- Mac OS X 10.9 (Mavericks)
- VMware Fusion 6.0
- Fedora 20 LXDE Spin (32-bit PC Edition)
- Cisco ASA 8.4(2) image file
1. Create the ASAVM directoryThis will be the
working directory for our project. You can create the folder (directory) in the GUI, but I will use the command line method in my example. Run the following command from
Terminal:
$ mkdir $HOME/Documents/ASAVM
2. Copy/Move the Cisco ASA image file to the ASAVM directoryAgain, feel free to copy/move the file in the GUI, but I will use the command line method. In my example, I will copy the file from my
Downloads/Labs directory to the
Documents/ASAVM directory. Run the following command from
Terminal:
$ cp $HOME/Downloads/Labs/asa842-k8.bin $HOME/Documents/ASAVM
3. Create the repack.v4.1.sh script fileWeb forum member dmz is the author of the script that allows us to run the Cisco ASA 8.4(2) software on virtualization hypervisors. The script essentially unpacks the original ASA software binary file, performs patch operations, and repacks the files (and optionally creates a bootable ISO image file). Many thanks to
dmz for providing the script as Im sure this was a very difficult process to reverse engineer and debug. Visit the web forum post at 7200emu.hacki.at for more information.
Choose either of the following methods for creating the
repack.v4.1.sh script file:
# Method 1Get the script file via curl. Run the following command from Terminal:
$ curl -Lo $HOME/Documents/ASAVM/repack.v4.1.sh http://goo.gl/4SKV8n
# Method 2Create the
repack.v4.1.sh script file manually with the
nano text editor. Run the following command from
Terminal:
$ nano $HOME/Documents/ASAVM/repack.v4.1.sh
Copy the code from GitHub and paste (
command +
v) the contents into the text editor window.
control +
o (Save) the file, press the
return key to confirm, and then
control +
x (exit) the
nano text editor.
4. Verify the contents of the ASAVM directoryWe should have two files in the
ASAVM directory. Run the following command from
Terminal to verify:
$ ls -lh $HOME/Documents/ASAVM
total 49160
-rw-r--r-- 1 marc staff 24M Jan 8 18:50 asa842-k8.bin
-rw-r--r-- 1 marc staff 4.2K Jan 8 18:51 repack.v4.1.sh
5. Create the Fedora Linux virtual machine (VM)Why do we need to create a Linux VM? The
repack.v4.1.sh script needs to be run in Linux in order to complete the required operations for the creation of the bootable Cisco ASA ISO image file.
Create the Fedora Linux VM with the following steps:
- Open the VMware Fusion application.
- Select File -> New... from the menu.
- Select Install from disc or image.
- Click the Continue button.
- Click the Use another disc or disc image... button.
- Navigate to and select the Fedora-Live-LXDE-i686-20-1.iso disc image.
- Click the Open button.
- Click the Continue button.
- On the Choose Operating System screen, select Linux -> Fedora.
- Click the Continue button.
- Click the Finish button.
- Click the Save button to save the virtual machine in the default Virtual Machines folder.
The Fedora Linux virtual machine will now automatically boot into the live disc environment which runs in the virtual machines vRAM, rather than loading from the virtual hard disk drive.
6. Set the password for the liveuserWe are currently logged in as the
liveuser standard user account. The user account has no password by default, so we will set a password for it. This step is a prerequisite for upcoming tasks. Run the following command from
LXTerminal:
[liveuser@localhost]$ passwd
Changing password for user liveuser.
New password: Pa$$worD1
Retype new password: Pa$$worD1
passwd: all authentication tokens updated successfully.
7. Start the SSH ServerOur next task is to start the SSH Server daemon as we will need to enable remote access to the Linux VM. Run the following command from
LXTerminal:
[liveuser@localhost]$ sudo systemctl start sshd.service
...
[sudo] password for liveuser: Pa$$worD1
Verify the daemon process has started and is in the running state. Run the following command from
LXTerminal:
[liveuser@localhost]$ pgrep -a sshd
1792 /usr/sbin/sshd -D
8. Download and install software packagesA couple of packages will need to be installed for the
repack.v4.1.sh script to be able to create the bootable Cisco ASA ISO image file. Run the following command from
LXTerminal:
[liveuser@localhost]$ sudo yum -y update vim-minimal && sudo yum -y install vim-common mkisofs
Verify the packages have been successfully installed by running the following command from
LXTerminal:
[liveuser@localhost]$ type xxd mkisofs
xxd is /bin/xxd
mkisofs is /bin/mkisofs
9. Get the IP configuration for the Fedora Linux VMYour virtual machine will likely have a different dynamic IP address, so make sure to substitute the value in upcoming examples. Run the following command from
LXTerminal:
[liveuser@localhost]$ ip addr | grep global
inet 192.168.217.145/24 scope global dynamic eno16777736
10. Transfer files from the Mac host to the Fedora Linux VMNow that we have the IP address for the Linux VM guest, we can establish a
scp connection and transfer the files from our Mac host to the
remote Linux VM guest. Run the following commands from
Terminal:
$ cd $HOME/Documents/ASAVM
$ scp * liveuser@192.168.217.145:Documents
The authenticity of host 192.168.217.145 (192.168.217.145) cant be established.
RSA key fingerprint is 62:38:a6:32:6b:d4:90:4a:7c:d8:10:b3:0c:85:d1:a5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 192.168.217.145 (RSA) to the list of known hosts.
liveuser@192.168.217.145s password: Pa$$worD1
asa842-k8.bin 100% 24MB 24.0MB/s 00:01
repack.v4.1.sh 100% 4308 4.2KB/s 00:00
11. Create a SSH session to the Fedora Linux VMInstead of continually entering commands in
LXTerminal, within the virtual machine console, we will now simply establish a
ssh session and enter the commands in our
local Mac
Terminal application. Run the following command from
Terminal:
$ ssh liveuser@192.168.217.145
liveuser@192.168.217.145s password: Pa$$worD1
12. Run the repack.v4.1.sh script on the Fedora Linux VM (via SSH)Run the following commands from
Terminal:
[liveuser@localhost]$ cd $HOME/Documents
[liveuser@localhost]$ chmod +x repack.v4.1.sh
[liveuser@localhost]$ sudo ./repack.v4.1.sh ./asa842-k8.bin
[sudo] password for liveuser: Pa$$worD1
Repack script version: 4.1
Detected syslinux/cdrtools - ISO will be created
1359344+0 records in
1359344+0 records out
1359344 bytes (1.4 MB) copied, 2.4332 s, 559 kB/s
23697936+0 records in
23697936+0 records out
23697936 bytes (24 MB) copied, 97.922 s, 242 kB/s
/tmp/tmp.OFsCQZsGYc /home/liveuser/Documents
gzip: /home/liveuser/Documents/asa842-initrd-original.gz: decompression OK, trailing garbage ignored
114476 blocks
114476 blocks
114476 blocks
/home/liveuser/Documents
/tmp/tmp.KctycopD9w /home/liveuser/Documents
I: -input-charset not specified, using utf-8 (detected in locale settings)
Size of boot image is 4 sectors -> No emulation
21.05% done, estimate finish Wed Jan 8 22:46:41 2014
42.01% done, estimate finish Wed Jan 8 22:46:41 2014
63.01% done, estimate finish Wed Jan 8 22:46:41 2014
83.97% done, estimate finish Wed Jan 8 22:46:41 2014
Total translation table size: 2048
Total rockridge attributes bytes: 0
Total directory bytes: 2048
Path table size(bytes): 26
Max brk space used 0
23823 extents written (46 MB)
/home/liveuser/Documents
13. Verify the resultFour new files have been created in the directory. Run the following command from
Terminal to confirm:
[liveuser@localhost]$ ll -h
-rw-r--r--. 1 root root 23M Jan 8 22:46 asa842-initrd.gz
-rw-r--r--. 1 root root 23M Jan 8 22:46 asa842-initrd-original.gz
-rw-r--r--. 1 liveuser liveuser 24M Jan 8 22:20 asa842-k8.bin
-rw-r--r--. 1 root root 1.3M Jan 8 22:44 asa842-vmlinuz
-rw-r--r--. 1 root root 47M Jan 8 22:46 asa.iso
-rwxr-xr-x. 1 liveuser liveuser 4.3K Jan 8 22:20 repack.v4.1.sh
We are finished with the interactive Linux portion, so close the
ssh session to the the Fedora Linux VM. Run the following command from
Terminal:
[liveuser@localhost]$ exit
logout
Connection to 192.168.217.145 closed.
14. Transfer the asa.iso file from the Fedora Linux VM to the MacRun the following command from
Terminal:
$ scp liveuser@192.168.217.145:Documents/asa.iso $HOME/Documents/ASAVM
liveuser@192.168.217.145s password: Pa$$worD1
asa.iso 100% 47MB 23.3MB/s 00:02
Verify the
asa.iso file has been transferred to the local Mac file system. Run the following command from
Terminal:
$ ls -lh $HOME/Documents/ASAVM
total 144456
-rw-r--r-- 1 marc staff 47M Jan 13 18:04 asa.iso
-rw-r--r-- 1 marc staff 24M Jan 13 17:48 asa842-k8.bin
-rw-r--r-- 1 marc staff 4.2K Jan 13 17:50 repack.v4.1.sh
The use of the Fedora Linux VM is complete. We can now shut down the Fedora Linux virtual machine in VMware Fusion.
15. Create the Cisco ASA virtual machine (VM)We are ready to create the
base Cisco ASA VM with the following steps:
- Open the VMware Fusion application.
- Select File -> New... from the menu.
- Select Install from disc or image.
- Click the Continue button.
- Click the Use another disc or disc image... button.
- Navigate to and select the asa.iso disc image.
- Click the Open button.
- Click the Continue button.
- On the Choose Operating System screen, select Linux -> Other Linux 2.6x kernel.
- Click the Continue button.
- Click the Customize Settings button.
- Name the virtual machine package as ASAVM.
- Click the Save button to save the virtual machine in the default Virtual Machines folder.
16. Edit the virtual hardware for ASAVMMake the following modifications in the
Settings window:
| Component | Value |
|---|
| Processors | 1 processor core |
| Memory | 1024 MB |
| Network Adapter | Bridged Networking: Ethernet1 |
| Network Adapter 2 | Custom: Private to my Mac |
| Hard Disk (IDE) | 0.50 GB |
| CD/DVD (IDE) | asa.iso |
| Sound Card | Remove Sound Card |
| USB & Bluetooth | Remove USB Controller |
| Printer | Remove Printer Port |
# 16.1 Virtual Network AdaptersIve only tested
Bridged Networking with a
wired (i.e., no Wi-Fi) Ethernet connection. As newer Mac laptops dont have a physical Ethernet port, the StarTech USB31000S (Black) | USB31000SW (White) is a viable solution. For my labs that use a Cisco ASA as an Internet edge device, I define the first virtual network adapter as the logical
outside interface that connects to the
physical network.
The virtual machine includes a single virtual network adapter by default. On the main
Settings screen for the virtual machine, click the
Add Device... button to add another
Network Adapter device.
The second virtual network adapter will be set to
Private to my Mac (VMnet1). For my labs that use a Cisco ASA as an edge device, I define the second virtual network adapter as the logical
inside interface that connects to the virtual GNS3 network.
# 16.2 Virtual Hard DiskSet the values for the following attributes of the virtual hard disk:
- Disk size: 0.50 GB
- Bus type: IDE
- Check Pre-allocate disk space
- Uncheck Split into multiple files
- Click the Apply button.
17. Edit the ASAVM configuration fileClose the VMware Fusion application before executing the steps in this section.
Some settings cant be configured with the GUI, so we will need to directly edit the ASAVM .vmx (virtual machine configuration) file. My ASAVM virtual machine is located in the default VMware Fusion folder (directory), so I would edit the file with the following command from
Terminal:
$ nano $HOME/Documents/Virtual Machines.localized/ASAVM.vmwarevm/ASAVM.vmx
# 17.1 Virtual Network AdaptersAs you recall, we have two virtual network adapters configured for ASAVM. An issue is the model type is incorrect, so the Cisco ASA software wont recognize them upon boot. We can rectify this with the following steps:
- Locate the line with the ethernet0.present = "TRUE" statement.
- Insert a line directly below it with the ethernet0.virtualDev = "e1000e" statement.
...
ethernet0.present = "TRUE"
ethernet0.virtualDev = "e1000e"
ethernet0.connectionType = "custom"
ethernet0.wakeOnPcktRcv = "FALSE"
ethernet0.addressType = "generated"
ethernet0.linkStatePropagation.enable = "TRUE"
...
The previous steps will need to be repeated (substitute the vNIC index number) for
every virtual network adapter attached to the virtual machine. So to complete my configuration, I would also insert the statement for my second virtual network adapter.
...
ethernet1.present = "TRUE"
ethernet1.virtualDev = "e1000e"
ethernet1.connectionType = "hostonly"
ethernet1.wakeOnPcktRcv = "FALSE"
ethernet1.addressType = "generated"
...
# 17.2 Virtual Serial PortJust like with a physical Cisco ASA appliance, we can connect to our ASAVM with a console port connection. This is very similar to how we interface with our virtual routers in GNS3 (Dynamips). The following steps will create a virtual serial port that will allow us to emulate a console port connection via telnet.
- Locate the line with the serial0.present = "FALSE" statement.
- Change the value from FALSE to TRUE to enable it.
- Add some more statements to define the properties of the virtual component.
...
serial0.present = "TRUE"
serial0.yieldOnMsrRead = "TRUE"
serial0.fileType = "network"
serial0.fileName = "telnet://127.0.0.1:52150"
...
We are finished configuring the .vmx file, so lets
control +
o (save) the file, press the
return key to confirm, and then
control +
x (exit) the
nano text editor.
18. Start ASAVMReopen the
VMware Fusion application and start the
ASAVM virtual machine. Press the
enter key at the
boot: prompt, within the ASAVM virtual console, to load the ASA.
19. Virtual console port connection to ASAVMRemember we need to emulate a console port connection via telnet, so enter the following command from
Terminal:
$ telnet 127.0.0.1 52150
20. Lab integrationYour virtual machine should be up and running, but a network device serves little purpose unless its actually connected to a network. Check out my Implement a Multivendor OSPF Lab with GNS3 and VMware Fusion post for a practical example.
