GNS3 - Configure ASA with ASDM
David Bombal made a very nice video series: GNS3, Cisco ASA and ASDM: Configure VIRL ASAv firewall with GNS3 and ASDM. He uses a Windows VM as a client, where here installed Java. One drawback is, that the Java installation has to be re-done on every new project. Furthermore the license of the Windows VM is time limited. When it expires, you have to delete the VM from the project and insert a fresh one.
Instead I’m using Java in a docker container for ASDM. I’ve added Java to my webterm docker image and published it as ehlers/web_java. It contains the Firefox web browser, Java and Java web start. Please note, that Firefox has disabled the Java plugin, so this is not included in this image.
To import it click on “+ New appliance template” located in the bottom of the device sidebar, then select “Add a Docker container”.
The “New Docker VM template” wizard will start and it asks a couple of questions:
- Server type: Run this Docker VM on the GNS3 VM
- Docker image: Select “New Image” and enter “ehlers/web_java” as the image name.
- Name: Give the VM a name, e.g. web_java
- Adapters: Stick with the default value of 1
- Start command: Leave it empty
- Console type: Change it to “vnc”
- Environment: Leave it empty, then finish the wizard.
Now the Docker VM preferences window will show up. You have the option to edit the just created template, for example change the symbol. When you’re done, leave the preferences with “OK”.
Like in David’s video create a new project:
On the first time the web_java VM is added, it will be downloaded from the internet, about 200 MB. So depending on your internet access, it may take a while. Then configure a static IP address (here 10.1.1.1, netmask 255.255.255.0) for the web_java-1 VM (right-click / Edit config). Now start everything up. The ASAv will reboot after the initial boot, that’s normal.
The ASAv needs an initial configuration, mainly an IP address on the inside interface, a username/password for management access and an enabled http server.
All that is shown in David’s second video of the GNS3, Cisco ASA and ASDM video series starting at 5:38.
ciscoasa# configure terminal ciscoasa(config)# interface GigabitEthernet0/0 ciscoasa(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. ciscoasa(config-if)# ip address 10.1.1.254 255.255.255.0 ciscoasa(config-if)# no shutdown ciscoasa(config-if)# exit ciscoasa(config)# username cisco password cisco privilege 15 ciscoasa(config)# http server enable ciscoasa(config)# http 0.0.0.0 0.0.0.0 inside ciscoasa(config)# end ciscoasa# wr
On the web_java VM we can start the web browser (click on the button and select Applications / Mozilla Firefox). Then open the web site https://<ASA-IP>/, in our case https://10.1.1.254/. But the ASA page doesn’t recognize the already installed Java web start, it allows only a new installation of Java. So that’s a dead end.
Searching the internet gives the solution,
in a terminal window.
While that works, it’s a little bit cumbersome.
Therefore I’ve added a Cisco ASDM launcher,
integrated in the applications menu.
Just put in the ASA IP address and the ASDM starts.
The web browser doesn’t need to be open for ASDM.
Now you can continue following David’s videos, starting with the second one at 10:34.
Update Nov 6, 2017:
For running ASDM v6.xxx make the following changes
in the java configuration:
Edit /etc/java-8-openjdk/security/java.security and remove MD5 in
jdk.jar.disabledAlgorithms from the list of
disabled code signing algorithms.
In previous versions of “ehlers/web_java” the /etc/java-8-openjdk directory was not persistent, so these changes won’t stick. This has been changed.
To update “ehlers/web_java” open a GNS3 project,
that doesn’t use the web_java VM.
Then start a shell in the GNS3 VM and remove the old
docker rmi ehlers/web_java,
afterwards load the new appliance with
docker pull ehlers/web_java.