在QEMU平台运行ASA 8.4(2)的方法.

chinaiplab

该文章从国外论坛转发过来。 在QEMU平台运行ASA 8.4(2)的方法. DISCLAIMER: All information provided here are solely for self-education and investigation purposes. Provided AS-IS without any warranties. 解压asa842-k8.bin 文件 1. Get asa842-k8.bin (from your CCO account possibly) 2. Save attached script, unpack it and make executable (gunzip repack.sh.gz; chmod +x repack.sh) 3. run as root user (or within 'fakeroot' environment) Code: # ./repack.sh ./asa842-k8.bin This will create three files in current directory:      asa842-vmlinuz - extracted kernel      asa842-initrd-original.gz - original extracted initrd      asa842-initrd.gz - patched initrd 创建flash镜像文件 Next you need to create flash image file (will be formatted automatically). Code: dd if=/dev/zero of=FLASH bs=1048576 count=256 NOTE: When using older repack.sh you need to format drive. I was using 'mkdiskimage' utility from 'syslinux' package - it is creating already formatted to FAT16/32 image: Code: $ mkdiskimage FLASH 980 16 32 All preparation is done! 准备工作完成，开始QEMU！ Start your QEMU                                 登录/注册后可看大图 I was using following command line: Code: /usr/bin/qemu \ -L /usr/share/qemu \ -m 1024 \ -nographic \ -cpu coreduo \ -icount auto \ -hda FLASH \ -kernel asa842-vmlinuz \ -initrd asa842-initrd.gz \ -hdachs 980,16,32 \ -append "ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536" \ -net "nic,vlan=0,macaddr=00:00:ab:cd:ef:01,model=pcnet" -net "tap,vlan=0,script=no,ifname=tap0" \ -net "nic,vlan=1,macaddr=00:00:ab:cd:ef:02,model=pcnet" -net "user,vlan=1,net=172.16.1.0/24" \ -net "nic,vlan=2,macaddr=00:00:ab:cd:ef:03,model=pcnet" -net "user,vlan=2,net=172.16.2.0/24" \ -net "nic,vlan=3,macaddr=00:00:ab:cd:ef:04,model=pcnet" -net "user,vlan=3,net=172.16.3.0/24" ASA should see all NICs that are attached to QEMU guest. While you could use any NIC model - better stick with pcnet, because it is compiled into kernel and does not require any modules to load. Also udev included in initrd have some problems renaming eth* interfaces with intel chipsets - if you have more than two (UPDATE: with new repack.sh - intel chipsets could be used.) UPDATE1: Add '-icount auto' to QEMU options - this will allow to bypass (not always so) 'Divizion by zero' exception. Also this will allow to do 'reload' in ASA. UPDATE2: New repack script with updated patches!(see http://7200emu.hacki.at/viewtopic.php?p=33914#33914 for usage example) Whats new: - empty drive formatted automatically at first startup - multiple context mode - adding license now works - failover works (tested only on Active/Standby in single context) - should work with any QEMU NIC (e1000, etc.) - support shell invocation before running 'lina' Multiple context mode is working as in "native ASA" - issue 'mode multiple' in configuration mode and agree to reload appliance. Startup scripts will detect that mode changed by searching 'context admin' in startup-configuration - if found, instance will be started in multiple mode, if not - in single. This allows using common procedures described in Cisco documentation to switch modes. To invoke shell just add 'shell' keyword to kernel arguments. To start 'lina' - just exit the shell, boot process will continue. And some licenses that will allow to test most of functionality. Two different - so failover with different licensing could be tested: Code: more restrictive: activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5 and less restrictive: activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6 NOTE: This topic and all instructions are QEMU-only. It runs under other VMs if you are lucky and have enough knowlege. To summon some luck under other VMs set emulated chipset to PIIX3, use hardware acceleration (VT-x/AMD-V), use Primary Master IDE drive, use AMD PCNet2 adapters, disable audio and USB emulation. UPDATE3: Changed displayed model to 'ASA 5520' and displayed license to 'ASA 5520 VPN Plus' Last edited by dmz on Wed Jan 04, 2012 8:46 am; edited 4 times in total At this ASA version all configuration is saved correctly and RSA keys are persistent upon reboot. Boot example: Code: Initializing cgroup subsys cpu Linux version 2.6.29.6 (builders@bld-releng-05a) (gcc version 4.3.4 (crosstool-NG-1.5.0) ) #1 PREEMPT Wed Jun 15 17:19:01 MDT 2011 <skipped> Starting kernel event manager...Loading hardware drivers...Initializing random number generator... done. Starting network... eth0: link up eth1: link up eth2: link up eth3: link up dosfsck 2.11, 12 Mar 2005, FAT32, LFN Seek to 256900608:Invalid argument dosfsck(/dev/hda1) returned 1 FAT: "posix" option is obsolete, not supported now TIPC: Started in network mode TIPC: Own node address <1.1.1>, network identity 1234 TIPC: Enabled bearer <eth:tap0>, discovery domain <1.1.0>, priority 10 msrif: module license 'Cisco Systems, Inc' taints kernel. msrif module loaded. Starting Likewise Service Manager Processor memory 654311424, Reserved memory: 62914560 WARNING: LINA Monitor notification queue not created No such file or directory IMAGE ERROR: An error occurred when reading the controller type Total NICs found: 4 secstore_buf_fill: Error reading secure store -  buffer 0xddfffb18, size 0x14 key_nv_init: read returned error 1, len 129 L4TM: Unknown ASA Model INFO: Unable to read firewall mode from flash        Writing default firewall mode (single) to flash license_init(): Platform is generic Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 The Running Activation Key is not valid, using default settings: Licensed features for this platform: Maximum Physical Interfaces       : Unlimited      perpetual Maximum VLANs                     : 100            perpetual Inside Hosts                      : Unlimited      perpetual Failover                          : Disabled       perpetual VPN-DES                           : Disabled       perpetual VPN-3DES-AES                      : Disabled       perpetual Security Contexts                 : 0              perpetual GTP/GPRS                          : Disabled       perpetual AnyConnect Premium Peers          : 5000           perpetual AnyConnect Essentials             : Disabled       perpetual Other VPN Peers                   : 5000           perpetual Total VPN Peers                   : 0              perpetual Shared License                    : Disabled       perpetual AnyConnect for Mobile             : Disabled       perpetual AnyConnect for Cisco VPN Phone    : Disabled       perpetual Advanced Endpoint Assessment      : Disabled       perpetual UC Phone Proxy Sessions           : 2              perpetual Total UC Proxy Sessions           : 2              perpetual Botnet Traffic Filter             : Disabled       perpetual Intercompany Media Engine         : Disabled       perpetual This platform has an Unknown license. Cisco Adaptive Security Appliance Software Version 8.4(2) _le_open: fd:4, name:eth0 ---Device eth0 (fd: 4) opened succesful! _le_open: fd:8, name:eth1 ---Device eth1 (fd: 8) opened succesful! _le_open: fd:9, name:eth2 ---Device eth2 (fd: 9) opened succesful! _le_open: fd:10, name:eth3 ---Device eth3 (fd: 10) opened succesful!   ****************************** Warning *******************************   This product contains cryptographic features and is   subject to United States and local country laws   governing, import, export, transfer, and use.   Delivery of Cisco cryptographic products does not   imply third-party authority to import, export,   distribute, or use encryption. Importers, exporters,   distributors and users are responsible for compliance   with U.S. and local country laws. By using this   product you agree to comply with applicable laws and   regulations. If you are unable to comply with U.S.   and local laws, return the enclosed items immediately.   A summary of U.S. laws governing Cisco cryptographic   products may be found at:   http://www.cisco.com/wwl/export/crypto/tool/stqrg.html   If you require further assistance please contact us by   sending email to .   ******************************* Warning ******************************* Copyright (c) 1996-2011 by Cisco Systems, Inc.                 Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.                 Cisco Systems, Inc.                 170 West Tasman Drive                 San Jose, California 95134-1706 config_fetcher: channel open failed ERROR: MIGRATION - Could not get the startup configuration. COREDUMP UPDATE: open message queue fail: No such file or directory/2 INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201112140925.log' Type help or '?' for a list of available commands. ciscoasa> en Password: ciscoasa# conf t ciscoasa(config)# ***************************** NOTICE ***************************** Help to improve the ASA platform by enabling anonymous reporting, which allows Cisco to securely receive minimal error and health information from the device. To learn more about this feature, please visit: http://www.cisco.com/go/smartcall Would you like to enable anonymous error reporting to help improve the product? [Y]es, [N]o, [A]sk later: N In the future, if you would like to enable this feature, issue the command "call-home reporting anonymous". Please remember to save your configuration. ciscoasa(config)# clear configure call-home ciscoasa(config)# crypto key generate rsa INFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... ciscoasa(config)# int g0 ciscoasa(config-if)# nameif outside INFO: Security level for "outside" set to 0 by default. ciscoasa(config-if)# ip address 192.168.5.2 255.255.255.0 ciscoasa(config-if)# no shut ciscoasa(config-if)# exit ciscoasa(config)# ssh 0.0.0.0 0.0.0.0 outside ciscoasa(config)# username cisco password cisco ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# wr mem Building configuration... Cryptochecksum: 9901ecdc afa2aded 68586ca0 43944721 1652 bytes copied in 0.650 secs [OK] ciscoasa(config)# exit ciscoasa# QEMU: Terminated After this I'm able to SSH to my appliance from outside: Code: $ ssh   The authenticity of host '192.168.5.2 (192.168.5.2)' can't be established. RSA key fingerprint is b4:a6:85:b3:c5:5a:89:37:f0:d8:4a:eb:a9:9b:c4:c5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.5.2' (RSA) to the list of known hosts. 's password: Type help or '?' for a list of available commands. ciscoasa> en Password: ciscoasa# sh ver Cisco Adaptive Security Appliance Software Version 8.4(2) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "startup-config" ciscoasa up 4 mins 33 secs Hardware:   F1-GENERIC, 1024 MB RAM, CPU Pentium II 3394 MHz Internal ATA Compact Flash, 256MB BIOS Flash unknown @ 0x0, 0KB 0: Ext: GigabitEthernet0    : address is 0000.abcd.ef01, irq 0 1: Ext: GigabitEthernet1    : address is 0000.abcd.ef02, irq 0 2: Ext: GigabitEthernet2    : address is 0000.abcd.ef03, irq 0 3: Ext: GigabitEthernet3    : address is 0000.abcd.ef04, irq 0 Licensed features for this platform: Maximum Physical Interfaces       : Unlimited      perpetual Maximum VLANs                     : 100            perpetual Inside Hosts                      : Unlimited      perpetual Failover                          : Disabled       perpetual VPN-DES                           : Disabled       perpetual ciscoasa#       ciscoasa# exit Logoff Connection to 192.168.5.2 closed. After reboot (stop and start QEMU, never use 'reload' command!) I could SSH to it again, without regenerating keys: Code: $ ssh   's password: Type help or '?' for a list of available commands. ciscoasa> exit Logoff Connection to 192.168.5.2 closed. 专注网络        网络工程师CCNA(网络) CCNP(网络)    精通安全        安全工程师CCNA(安全) CCNP(安全)                         网络安全工程师  QQ: 189 605 660    电话: 139 3719 5912        电话: (0371)  56697176 ； 定向委培就业班          189 605 661              139 3719 5913                             56697177 网址：WWW.ChinaIPLab.COM   WWW.BiaoDu.NET

丿Star丨领域丶

[广东]-wind

lchyxyny

好东西，必须顶