Installation
First
compile and patch Qemu as you would do for running JunOS. This will give us pcap, lcap and UDP tunnels (i.e. GNS3/Dynamips connections) capabilities.
Then obtain ASA itself. If you are smart and patient you will find it. I used asa802-k8.bin for my installations. As far as I know, nobody has been able to run ASA > version 8.2 (ASA keeps rebooting).
The next step is to get an initrd and a Linux kernel (inside the initrd) from your ASA image to use them with Qemu and also fix the initrd for our needs. The initrd is zipped and archived in the ASA image, we have to extract it.
There are 2 ways, manually or using a tool I created.
Manual method
Create an hexadecimal dump of your image:
hexdump -C asa802-k8.bin > asa802-k8.hex |
Search for the ZIP header:
grep “1f 8b 08 00 1d” asa802-k8.hex
001228b0 1f 8b 08 00 1d 3d 73 46 00 03 ec 3a 6d 54 14 57 |…..=sF…:mT.W| |
We can see that the ZIP file starts at offset 1228b0.
Let’s find the image size:
ls -la asa802-k8.bin
-rwxr-xr-x 1 root staff 14524416 26 Nov 20:14 asa802-k8.bin
14524416 bytes. |
Now we need to find out where in the file we can start extracting the ZIP part.
echo "14524416 ; ibase=16 ; last - 1228B0" | bc | tail -n 113334352
|
Extract the zipped part of the ASA image:
tail -c 13334352 asa802-k8.bin > asa802-k8.gz |
Decompress it with gzip:
gzip -d asa802-k8
gzip: asa802-k8.gz: decompression OK, trailing garbage ignored |
Make a temp directory and go into it so we can extract the files contained in the uncompressed archive file (the initrd):
Now extract the archive with cpio (you must have the administrator rights to successfully extract device files).
cpio -i --no-absolute-filenames --make-directories < ../asa802-k8 |
Copy the Linux kernel to your previous directory:
cp vmlinuz ../asa802-k8.kernel |
Before compressing back the initrd, create the following script in asa/scripts/first_start.sh
This script formats the 256 MB flash on first start to be used by ASA. Loads the network drivers modules for Intel e100 (i82559er in Qemu) and Intel e1000 cards and activates the network interfaces to be used in ASA. I noticed that if we immediately start ASA after this first boot, it freezes (don’t really know why but it seems the system do something and slow down during the first minute …). The next time you start the system, the script will still load the activate the network interfaces and automatically start ASA.
#!/bin/sh
##
## Author: Jeremy Grossmann (2009)
## Contributor: J. Pedro Flor (28 january 2010)
##
FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
cd /asa/scripts/
echo "d" > /asa/scripts/fdisk.pf.in
echo "o" >> /asa/scripts/fdisk.pf.in
echo "n" >> /asa/scripts/fdisk.pf.in
echo "p" >> /asa/scripts/fdisk.pf.in
echo "1" >> /asa/scripts/fdisk.pf.in
echo "1" >> /asa/scripts/fdisk.pf.in
echo "" >> /asa/scripts/fdisk.pf.in
echo "t" >> /asa/scripts/fdisk.pf.in
echo "4" >> /asa/scripts/fdisk.pf.in
echo "w" >>/asa/scripts/fdisk.pf.in
echo ""
echo -n "Initializing partition..."
/sbin/fdisk /dev/hda < /asa/scripts/fdisk.pf.in > /dev/null 2> /dev/null
echo "done"
echo ""
echo -n "Formating and mounting partition..."
mkdosfs -F 16 /dev/hda1 > /dev/null 2> /dev/null
mount -t vfat -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0 > /dev/null 2> /dev/null
echo "done"
echo ""
cp /asa/bin/lina /mnt/disk0/lina
cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
FIRST_START=yes
fi
# load drivers
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
if test $FIRST_START = yes
then
echo ""
echo " Cisco ASA with <NO> Multiple Security Contexts"
echo " =============================================="
echo ""
echo "This is your first boot, please wait about 2 minutes for 'disk0' creation"
echo "and then execute the following commands inside the Linux prompt:"
echo ""
echo " # cd /mnt/disk0"
echo " # /mnt/disk0/lina_monitor"
echo ""
echo ""
echo ""
echo "Please note to use the following command under ASA to save your configs:"
echo ""
echo " ciscoasa(config)# boot config disk0:/.private/startup-config"
echo " ciscoasa(config)# copy running-config disk0:/.private/startup-config"
echo ""
echo ""
echo ""
echo "To get webvpn working, execute the following commands:"
echo ""
echo " ciscoasa# mkdir disk0:/var"
echo " ciscoasa# mkdir disk0:/var/log"
echo " ciscoasa# mkdir disk0:/csco_config"
echo " ciscoasa# mkdir disk0:/csco_config/97"
echo " ciscoasa# mkdir disk0:/csco_config/97/webcontent"
echo ""
echo " ( Powered by Pedro Flor )"
echo " ( pedro.flor@gmail.com )"
echo ""
exit
fi
echo ""
echo ""
echo "Starting Cisco ASA with <NO> Multiple Security Contexts..."
echo ""
cd /mnt/disk0
/mnt/disk0/lina_monitor |
In order for the script to be loaded at startup, edit etc/init.d/rcS and change
/asa/bin/lina_monitor by
/asa/scripts/first_start.sh
Change first_start.sh permissions:
Now you can compress all the file and have the initrd ready to use in Qemu:
find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz |
