Finally got ASA and ASDM to work nicely with GNS3.
Here's my setup:
GNS3 v0.7
Qemu (The one that comes with GNS3 v0.7)
ASA 802-k8 (files needed for Qemu are: asa802-k8.initrd.gz & asa802-k8.kernel)
ASDM 6.0(2)
Fiddler (Instructions to configure it are here)
To get ASDM to connect with ASA, you must use Fiddler to intercept the HTTPS stream and modify it to correct some of Qemu's shortcomings.
Then set your JRE to use fiddler as proxy.
All instructions can be found in the lengthy discussion at hacki.at. Make sure to read pages 17,18,+
When attempting to launch ASDM, no matter which version of ASDM and ASA IOS that you run, you get an error stating: “You’re ASA has a version number 8.0(2) which is not supported by ASDM 6.2(1)”. After much hair pulling, I finally tripped across a blog article that explains how to get ASDM working with ASA emulated hardware in GNS3.
The problem is that the ASDM client software is comparing the hardware ID string send by the http server on the ASA with it’s “ASDM is known to be compatible with” information. The emulated ASA hardware has the Hardware ID left blank (null) by default, as seen here in the output from show ver:
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.2(1)
Compiled on Fri 15-Jun-07 19:29 by builders
System image file is “Unknown, monitor mode tftp booted image”
Config file at boot was “startup-config”
ASA1 up 19 mins 21 secs
Hardware: , 128 MB RAM, CPU Pentium II 1395 MHz
Internal ATA Compact Flash, 0MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Notice that the hardware identifier is blank. So, according to this excellent forum post response, when then ASA sends the HTTPS response to the ASDM client request, the HW ID field is null. A piece of software called “Fiddler2″ (Windows only) can act as a proxy and modify the ASA http response payload and replace the null field with an ASA model number. This will let the ASDM client software know that the ASA is indeed running an IOS version with which it is compatible.
From the forum response, here is how to configure Fiddler2 and JRE to use Fiddler2 as a proxy:
- Download fiddler from http://www.fiddlertool.com/fiddler/
Set fiddler to decode HTTPS: fiddler –> tools –> fiddler options –> https –> check ‘decrypt https traffic’ - Download this file: fiddler.CustomRules.js, open it in notepad, CRLT-A to highlight all and then CTRL-C to copy the highlighted text.
- In the Fiddler Menu Bar, click RULES –> Customize Rules
CTRL-A to highlight the entire file then CTRL-V to paste our new rules into the file. Close and Save the file. - Then, point your JRE to use localhost:8888 for http and https connections:
Control panel –> java –> network settings –> use proxy server localhost:8888 –> advanced –> use same proxy for all protocols
Start the ASA QEMU
Start Fiddler
Start ASDM and connect to the mgmt IP of the ASA (not the fiddler !)
Assuming you have set up ASDM access properly on the ASA, the error goes away and works like a champ!
