Setting up ASA inside GNS3

Setting up ASA inside GNS3 has been simplified by the GNS3 team, as now you just need to have the appropriate Initrd and Kernel files then you are good to go.

Prequisites:

1. GNS3
2. asa842-initrd.gz
3. asa842-vmlinuz

*** I cant provide the ASA files ***

After you have the required files, just fire up GNS3 and point it to the right path.

GNS3 > Edit > Preferences > Qemu > ASA >

Under the ASA Settings, Preconfiguration .. select the proper version you are trying to load. Eg. 8.0(2) or 8.4(2)

All the RAM, Number of NICs, NIC model and Qemu Options will be automatically populated.

Then under ASA Specific Settings, select the path to the Initrd and Kernel files.

Finally click Save and you will see the setting save under ASA Images.

Click OK to close the Preference window.

To test out your setting, go the device tab and click on the Firewall icon and you will notice the ASA firewall icon has color and no longer grayed out.

Drag and drop the ASA firewall icon to the Workspace and Run it .. then double click on the icon and it shall open the console via the default Putty application

Happy learning !

Problem: Getting IP address but browser unable to load webpages

 

Symptoms:

1. PC is getting IP address (eg. ipconfig /all)
2. Able to ping the default gateway
3. Nslookup command works for google.com etc
4. Able to load URL using the resolved IP address

Finally when you issue the command “ipconfig /flushdns”, you getting the follow error.

Error Message:

Windows IP Configuration

Could not flush the DNS Resolver Cache: Function failed during execution.

Problem:

This problem occurs if the DNS Client service is not running on the computer.

Resolution:

To resolve this problem, follow these steps:

1. Click Start, click Run, type services.msc, and then click OK.
2. In the list of services, click DNS Client.
3. Make sure that the Status column displays Started and that the Startup Type column displays Automatic.
4. If the service is not set to Started or if the startup type for the DNS Client service is not set to Automatic, follow these steps:
   1. Right-click DNS Client, and then click Properties.
   2. In the DNS Client Properties dialog box, click the General tab, and then click Automatic in the Startup type list.
   3. Click Start, click Apply, and then click OK.

CA Root Certificate is missing error

 

After the installation of the Cisco AnyConnect Secure Mobility 3.1, upon the execution of the client the below error pops up.

Unable to validate Cisco AnyConnect Secure Mobility components. CA Root Certificate is missing.

AnyConnect Secure Mobility Client must verify that all loaded components have been certified by Cisco. Your system does not have the latest root certificates from Verisign, which are required to validate the authenticity of the software. Please download VeriSign Class 3 Public Primary Certification Authority - G5 from http://www.verisign.com/support/roots.html or contact your administrator.

We need to manually install a VeriSign Certification Authority into Windows. The "Root 3 / VeriSign Class 3 Primary CA - G5" to be exact.

1. Go to the Verisign certificate page. [LINK]
2. Find the section named "Root 3 / VeriSign Class 3 Primary CA - G5".
   At the end of that section, find the link for Download Root Now and right-click it and save the file to your Desktop or Download folder.

1. Find the downloaded file, and rename it from "PCA-3G5.pem" to "PCA-3G5.crt" (change the filename extension to .crt).
2. Double-click the PCA-3G5 file.
3. Result: The Certificate information window should open.
   Press the Install Certificate button. A Certificate Import Wizard will open. You can click Next or Finish to go through the Import Wizard.

Installing Microsoft Windows virtual host for labbing purpose

 

For our labbing purpose, we might need a virtual host which is running Microsoft Window operating system. We can download and use the evaluation version which can run for 90-days. The current version shown at TechNet Evaluation Center is Windows 8.1, but if you prefer to use Windows 7, just scroll to the bottle and you see the "Previous Version" which will show you links to Windows 7 Enterprise Evaluation.

TechNet Evaluation Center – [LINK]

* 7600.16385.090713-1255_x86fre_enterprise_en-us_EVAL_Eval_Enterprise-GRMCENEVAL_EN_DVD.iso

Installing DHCP (uDHCPd) on TTYLinux

Under TTYLinux, the BusyBox provides most of the services I needed except DHCP server. After much research, I managed to have it install.
Stuff needed :
1. BusyBox binary package – [LINK]
2. TTYLinux – [LINK]
1. Boot into TTYLinux
2. Download the BusyBox into the TTYLinux - link
# wget http://busybox.net/downloads/binaries/latest/busybox-x86_64
3. Make it executable
# chmod +x busybox-x86_64
4. Install BusyBox
# ./busybox-x86_64 --install
5. Verify
# ls -l /usr/sbin --> notice udhcpd date/time ?
6. Copy service script under the /etc/rc.d/init.d folder (thttpd)
# cp /etc/rc.d/init.d/thttpd /etc/rc.d/init.d/udhcpd
# sed -i 's/thttpd/udhcpd/g' udhcpd
# sed -i 's/httpd/dhcpd/g' udhcpd
# sed -i 's/thttp/dhcpd/g' udhcpd
# nano /etc/rc.d/init.d/udhcpd
* comment out the portion for
     * addgroup
     * under start() -> comment out doGroupCheck
     ! load_proc ${UDHCPD} -fS /etc/udhcpd.conf $
# service udhcpd [start/stop/restart/status]
make sure interface facing the LAN has the an IP interface from the subnet.
# ifconfig --> verify
# ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# ifconfig eth0 up
make it permanent at /etc/sysconfig/network-scripts/ifcfg-eth0
ENABLE=yes
IPADDRESS=10.0.0.1
CIDRLEN=24
NETWORK=10.0.0.0
NETMASK=255.255.255.0
BROADCAST=10.0.0.255
DHCP=no
! Restart the networking service to refresh the settings.# service network restart
7. Create the UDHCPD configuration file
# touch /etc/udhcpd.conf
Content of the /etc/udhcpd.conf
========================================
# Sample udhcpd configuration file (/etc/udhcpd.conf)
# The start and end of the IP lease block
start            10.0.0.20   
end                10.0.0.254   
# The interface that udhcpd will use
interface    eth0        #default: eth0
option    subnet    255.255.255.0
option    router    10.0.0.1
option    dns            10.0.0.2
========================================
8. Create the UDHCPD lease file
Add the leases file
# touch /var/lib/misc/udhcpd.leases
9. Allow the UDP port 67 and 68
# nano /etc/firewall.conf
    add under [UDP] 67 and 68
   
10. Restart the firewall services
# service firewall restart
Voila!
Sending OFFER of 10.0.0.20
Sending ACK to 10.0.0.20
uDHCPd configuration sample [link]

Installing TTYLinux

Basic steps use for installing TTYLinux to hard drive.

Boot from ISO

boot from TTYLinux iso
login using : root/password

Preparing the partition

# fdisk /dev/sda
    # n
    # p
    # 1
    # 1
    # 15
    # w

Create the file system

# mke2fs /dev/sda1

Installing the TTYLinux to drive

# ttylinux-install -m /dev/hdc /dev/sda1
    # yes

* eject/remove ISO from cdrom

Reboot the system

# shutdown –r

Login into the new install system

root/password

Remastering TTYLinux

Ingredients :
1. Ubuntu 12.04 netinstall disc or any working Debian machine

Initial setup commands:
# apt-get update
# apt-get upgrade

Dependancy package required for the rebuilding of the TTYLinux image
# apt-get install x (x being the package listed below)
build-essential
autoconf
automake
bzip2
mkisofs
bin86
gawk
flex
bison
ncurses-dev
docbook-utils
pkg-config
gettext
libglib2.0-dev
libfuse-dev
libpam-dev

!! Warning "docbook-utils" will use about 500mb files, go make some coffee
!! mkisofs is depreciated and replace by genisoimage
!! overcome this by # sudo ln -s /usr/bin/genisoimage /usr/bin/mkisofs

Grab a copy of the TTYLinux for remastering

# cd /tmp
# wget https://github.com/djerome/ttylinux/tarball/master -O ttylinux.tar.gz --no-check-certificate

Untar the compress file
# tar zxf ttylinux.tar.gz

Go to the directory
# cd /tmp/djerome-ttylinux-xxxxxxx# (press tab to autocomplete as the xxxxxxx are different between version)

Edit the UDHCPD configuration settings
cd /tmp/djerome-ttylinux-5ece876/ttylinux-build/pkg-cfg/busybox-1.21.0

# nano _bbox-stnd.cfg
^w (CTRL + W)
type in UDHCPD

Before:
# CONFIG_UDHCPD is not set
# CONFIG_DHCPRELAY is not set
# CONFIG_DUMPLEASES is not set
# CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set
# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set
CONFIG_DHCPD_LEASES_FILE=""

After:
CONFIG_UDHCPD=y
CONFIG_DHCPRELAY=y
CONFIG_DUMPLEASES=y
CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY=y
# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set
CONFIG_DHCPD_LEASES_FILE="/var/lib/mis/udhcpd.leases"

^O (CTRL + O)
^X (CTRL + X)

Cross-tool chain process
# cd /tmp/djerome-ttylinux-5ece876/xbuildtool
# make setup
# make x86_64-2.14-gnu

!! Took 37 minutes 58 seconds

Compile and build TTYLinux

cd /tmp/djerome-ttylinux-5ece876/ttylinux-build
make getcfg

option 6 for pc_x86_64_defconfig

depend you preference you can now edit the newly created ttylinux-config.sh to comment out/exclude the package which you don't wished to compile with the package.

Download TTYLinux source packages
# make dload

Make the TTYLinux ISO
# make dist

Took 12 minutes 52 seconds (2days actually of painful back and forth troubleshooting !)

!! The BusyBox script even with answer "Y for the DHCPRELAY the configuration file, it was stopping and waiting for a Y/n.
!! I pressed Y and press ENTER ... it continue. So life goes on

* I went back and comment out NTFS-3g because it keep erroring out and I didnt really require it. Even download the so call missing libntfs* file, it didn't help.
* I eventually comments alot of stuff which keep giving me errors :)

After all that is done (cross-building packages), its goes into compiling the TTYLinux kernel

I ftp my ISO from the virtual machine to the host FTP server.

[ref] http://blog.thewulph.com/?p=323