Monthly Archives: February 2013

asa in gns3…

start at the beginning…
download 0.8.3 all in one, get it running…  do not let it install into program files… make a different directory…

if you are just getting started with gns3, then you know where to go… this is gonna go fast…

the key here is qemu… but first, you need to separate the asa.bin from its parts…  i did it using linux, then ported the files over to my windows box..  to extract the initrd.gz and the vmlinuz files in windows you can use a program called repack… i did it from the cli in nix… start with this link: then dig some more… this part was not easy and took a lot of time… i believe i used gzip/gunzip in nix… you need to do the heavy lifting here… of course, getting the .bin’s i’m not even touching on; you know the drill…

initrd stands for initial ram disk… if anybody remembers back in the old dos days there was a procedure called vdisk, or virtual disk; the early days of virtualization, whereby you’d run an os in a current os’s ram, read vm… vmlinuz is the nix executable kernel… these will boot your asa in qemu…

so once you get through that nastiness, you get to do battle with qemu… it’s hit or miss… the real trick is pathing out everything correctly, and discovering the settings that will work… once in qemu make sure it is pathing out correctly by running the test for qemuwrapper…  as i said before, do not install anything in windows system directories and you can avoid some unpleasantness… and turn the friggin windows firewall off, duh…

these settings worked for me, you may have to try others…
the kernel cmd line:

console=ttyS0,9600n8 bigphysarea=16384 auto nousb ide1=noprobe hda=980,16,32

that and a couple of prayers will get you this:

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is “Unknown, monitor mode tftp booted image”
Config file at boot was “startup-config”

ciscoasa up 1 hour 5 mins

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB

0: Ext: GigabitEthernet0    : address is 00ab.cd92.5200, irq 0
1: Ext: GigabitEthernet1    : address is 0000.ab8f.c501, irq 0
2: Ext: GigabitEthernet2    : address is 0000.ab35.ea02, irq 0
3: Ext: GigabitEthernet3    : address is 0000.abcc.9c03, irq 0
4: Ext: GigabitEthernet4    : address is 0000.ab4f.f804, irq 0
5: Ext: GigabitEthernet5    : address is 0000.abf1.e905, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 13:18:13.929 UTC Sat Aug 4 2012

for more features you are going to have to search for activation keys… notice security contexts… this is another pain in the ass but cisco inferno has some good tips on that here… he is not kidding about the activation taking a long time… if you are not patient, you can simply start all over again… he mentions making a bridge in windows there; the hardware loopback in windows is better…

look, if you really want this, you are going to suffer for it, so plan on it and don’t be a big pussy…

if you survived all of that and you are a glutton for punishment, try plugging in asdm… that’s another bitch…

i found that the fastest and easiest way to get your pc into the gns3 environment is through a windows hardware loopback…  go to windows cmd and type hdwwiz and step through that… and make sure you reboot the pc after adding the loopback because… it’s winblows… put the management interface in the same subnet, run tftp and copy tftp flash… i’m not stepping you through that…

don’t forget the switch… be the cloud…

http server enable
http ipaddress/subnetmask management

make a username and password privilege 15

copy r s

open a browser, https://ipaddress

and the rest is on you… this is not for the weak of heart… it will kick your ass, but you’ll be glad…

like i said it’s not for the faint of heart… qemu.exe just crashed on me and wouldn’t load the emulator…  solution: downloaded the standalone windows version from gns3, plucked out the qemu.exe file, erased the current qemu.exe and rebooted first, then added the new qemu.exe in the proper directory, and it works… not sure if the reboot is necessary, just an old habit from back in the windows crusades…  not only will this stuff make you delusional, it will also make you hysterically superstitious… yeah, and good luck…

use this link to verify the default operation of the device…

1.1.b Identify Cisco express forwarding concepts

On Page 59, Router Security Strategies: Securing IP Network Traffic Planes:

The adjacency table contains information necessary for encapsulation of the packets that must be sent to given next-hop network devices. CEF considers next-hop devices to be neighbors if they are directly connected via a shared IP subnet.
Each adjacency entry stores pre-computed frame headers used when forwarding a packet using a FIB entry referencing the corresponding adjacency entry. The adjacency table is populated as adjacencies are discovered. Each time an adjacency entry is created, such as through the ARP protocol, a link-layer header for that adjacent node is pre-computed and stored in the adjacency table.

Routes might have more than one path per entry, making it possible to use CEF to switch packets while load balancing across multiple paths.
In addition to next-hop interface adjacencies (in other words host-route adjacencies), certain exception condition adjacencies exist to expedite switching for nonstandard conditions. These include, among others: punt adjacencies for handling features that are not supported in CEF (such as IP options), and drop adjacencies for prefixes referencing the Null0 interface. Packets forwarded to Null0 are dropped, making an effective, effcient form of access fltering.

Router Security Strategies: Securing IP Network Traffic Planes By Gregg Schudel – CCIE No. 9591, David J. Smith – CCIE No. 1986 ISBN: 9781587053368 Publisher: Cisco Press

here is a graphic i built some time ago… it’s very pretty…


3.7.b Implement and troubleshoot IBGP and EBGP

3.7.b [i] EBGP, IBGP

i will paraphrase for a change…

1) a tcp connection request must have a matching source address in a bgp neighbor statement

R2#sh tcp brie
TCB       Local Address               Foreign Address             (state)
67F71058                       ESTAB
67F709D4                       ESTAB

R2#sh run | b bgp 123
router bgp 123
 bgp log-neighbor-changes
 neighbor remote-as 123
 neighbor update-source Loopback1
 neighbor remote-as 123
 neighbor update-source Loopback1

2) the router bgp asn statement must match the neighbor router’s reference to that asn in its remote-as statement

R4#sh run | b router bgp
router bgp 45
 bgp log-neighbor-changes
 neighbor remote-as 123
 neighbor ebgp-multihop 2
 neighbor update-source Loopback1

R3#sh run | b bgp 123
router bgp 123
 bgp log-neighbor-changes
 neighbor remote-as 123
 neighbor password cisco
 neighbor update-source Loopback1
 neighbor remote-as 123
 neighbor update-source Loopback1
 neighbor remote-as 45
 neighbor ebgp-multihop 2
 neighbor update-source Loopback1

3) the bgp rid’s have to be unique…

R4#sh ip bgp neigh
BGP neighbor is,  remote AS 123, external link
  BGP version 4, remote router ID

R3#sh ip bgp neigh
BGP neighbor is,  remote AS 45, external link
  BGP version 4, remote router ID

4) if used, md5 authentication must be successful

*Feb 24 16:16:46.532: %TCP-6-BADAUTH: Invalid MD5 digest from to tableid – 0
R1(config-router)#neigh pass cisco
*Feb 24 16:16:53.648: %BGP-5-NBR_RESET: Neighbor reset (Peer closed the session)
*Feb 24 16:16:53.660: %BGP-5-ADJCHANGE: neighbor Down Peer closed the session
*Feb 24 16:16:53.660: %BGP_SESSION-5-ADJCHANGE: neighbor IPv4 Unicast topology base removed from session  Peer closed the session
*Feb 24 16:17:06.304: %BGP-5-ADJCHANGE: neighbor Up

brick by brick, my citizens…

coffee and me and ccie…

gotta have it… i oughta invest in a coffee bean processing plant… i’ve found ccie goes down better with coffee and cream… actually, it’s the jolt that i’m in it for…

when i finally made ccnp and went back to the front desk at the testing center the girl there asked my why i wasn’t smiling… she told me to celebrate… i lied and told her i was sad that i wouldn’t be seeing her again for a year at least… i took my paper, went out to my car and cried…

it was a release, but it was also a fear of the future… a chapter closed but the abyss just opened up… the pain and struggle just renewed with a different set of rules…

legend has it that scott morris was asked how he felt after passing his first ccie… he responded something to the effect that he now realized how little he knew…