GNS3 – Initial Setup, Adding Routers, Hosts, and ASA Firewalls

KB ID 0000927 

NOTE: THIS ARTICLE IS FOR THE OLD VERSION OF GNS3

GO HERE FOR THE NEW ONE

Problem

I dip into GNS3 every so often, (depending on what I’m working on). And each time I install it, I spend just as long remembering how to set it up, as I do using it! So, if for no other reason than I can use this page as a reference in future, here’s how to get it up and running.

Solution

Note: At time of writing he latest version is 8.6

1. Download GNS3, I accept all the defaults (I actually tick to install SuperPuTTy, as tabbed console windows can be handy when using GNS3). Launch the program, you will be greeted with the following setup wizard. Select Option 1.

Note: You can do the same in future, by going to Edit > Preferences

2. Check that the path to the ‘projects’ and your ‘images’ folder are where you want them to be. The defaults are fine but if you run GNS3 on several machines you might want to choose something like Dropbox > Apply > OK.

3. Option 2.

4. Click Test Settings > Have patience, it can take a couple of minutes > Apply > OK.

Adding Router Images to GNS 3

5. Option 3

Note: You can visit the same section in future by clicking Edit > IOS Images and Hypervisors.

6. Image file > Browse to the image you want to import. Here on GNS3 8.6 you can select the filename.bin file, with older versions you need to extract that file to a filename.image file.

Note: You need to legally download these images from Cisco. This means you need a Cisco CCO account, and a valid support agreement. DO NOT email me and ask for Cisco IOS images, (I will just ignore you!).

7. As mentioned above, it will convert my filename.bin image to an extracted filename.image file > Yes.

8. Set the Router platform and model > In the IDLE PC section click Auto calculation > This can take a while.

Note: You can do this later from the main workspace, and test a range of settings. I you don’t do this your virtual network devices will eat all your CPU power!

9. When complete click Close > Save > Close.

10. You can now start that model router to the workspace and use it. Repeat for each model of router you want to add.

Adding a Host to GNS3

Having a host machine for you labs is handy, usually you just need to be able to ping, or perform tracerts. So you can download a small Linux image from GNS3. There are a few options but I prefer linux-microcode.

11. Edit > Preferences.

n

12. Quemu > Quemu Guest > Give it an identifier name (can be anything) > Browse to, and select the image you downloaded.

13. Save > OK > Apply.

14. You can now drag a Quemu Guest machine onto the work space, and console into it.

Adding a Cisco ASA to GNS3

Yes you can add Cisco PIX as well, but there’s not many of them left in the wild.

15. Edit > Preferences > Quemu > ASA > Give it an identifier name (can be anything) > Set the RAM to 1024 > Set the Qemu options to;

[box]

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

[/box]

Set the Kernel cmd line option to;

[box]

-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

[/box]

16. You need two files to run the ASA, an initrd file and a kernel file. You need to create these from a legally obtained copy of the asa843-k8.bin file.</p?

Should you wish to locate these files form a less reputable source you are looking for
asa842-initrd.gz and asa842-vmlinuz, again don’t email me for them! If you are too stupid to use a search engine, then technical ninjary is not the correct career choice for you.

17. Finally select the vmlunuz file > Open.

18. Save > OK > Apply.

19. You can now drag an ASA onto the workspace and console into it (it takes a while, be patient). When the ASA starts it has all the licenses disabled, to add them you need to change the ASA’s activation key. An ASA Activation key is usually linked to the serial number of the ASA, in this case we don’t have a serial number, (that’s not strictly true, if you check, it’s something like 12345678). So I will publish a working activation key*

*Disclaimer, this will only work on this virtual ASA, and it’s published elsewhere on the Internet, if I receive a request to remove it I will do so.

Another ‘quirk’ is every time you add a new ASA to the workspace, you need to go through this process, if you enter the commands below you can issue a reload and also save the ASA, without the need to re-enter the activation key.

[box]

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6
{This can take 5-10 minutes}
copy running-config startup-config
{Enter}
copy startup-config disk0
{Enter}

[/box]

20. When it comes back up, (again it will take a few minutes). Your can check your ASA’s licensed features.

Related Articles, References, Credits, or External Links

Connecting GNS3 to VMware Workstation

Build a PIX Firewall for your test network

Working with GNS3 and PEMU – (Part 2)

KB ID 0000662 

Problem

In Part 1 we installed and Licensed our Virtual PIX, now we will give it an IP address and get the firewalls web management console running.

To complete this procedure you will need to,

1. Have a TFTP server up and running (CLICK HERE).

2. Know how to connect to a Cisco Firewall (CLICK HERE).

Solution

Step 1 (Add an interface to your host machine)

1. On your host PC/VM Click Start > Run > hdwwiz.cpl {enter} > At the “Add Hardware Wizard” click Next > Let it search > Tick “Yes I’ve allready connected the hardware > Next > Scroll to the bottom > Select “Add a new hardware Device > Next.

2. Select “Install the hardware that I manually select” > Next > Next > Select Network Adaptor > Next > Next > Finish.

3. Click Start > Run > ncpa.cpl > Right Click the new NIC and rename it to loopback adaptor > Then give it a valid IP on your test network. (Right click > properties > TCP/IP).

Step 2 (Configure the connection)

4. Connect to the PIX as shown in Part 1 > Give the PIX an IP address with the following commands;

[box]

enable
{Password} - Set blank by default
configure terminal
int e1
no shutdown
nameif inside
ip address {ip on test network}{subnet of test network}
write men

[/box]

5. To connect tie PIX to the Loopback adaptor you need to add some networking in the GNS3 console > Drag the cloud object into the work area > Right click > Configure.

6. Select C0.

7.Select the loopback adaptor > Add > Apply OK

Note: If you are presenting a real adaptor you will only see some uncomprehensable numbers – locate the “Network Device List” Batch file in the GNS3 directory and run it whis will de-cypher those numbers for you.

8. Drag a switch onto the workspace.

9. Click the connection tool and select “Fast Ethernet”.

10 Select the cloud (Loopback Adaptor) and drag a connection to the switch.

11. Select the PIX (Inteface e1) and drag a connection to the switch.

12. All green lights is good 🙂

13 From another machine on the network make sure you can ping the PIX to test connectivity.

Note: If you are using Microsoft Hyper-V server, you may find that the whole thing fails at this point, If thats the case, then close down the Guest machine and add and configure a “Legacy Network Card”. Bring the system back up and configure the new network card accordingly.

Also if you are in a virtual environment you can simply add another network card and get the cloud to use that instead of using a loopback adapter.

Step 3 Install and configure the ASDM (Web Inteface)

1. Set up your TFTP server and have the asdm image file ready in the TFTP servers root directory.

2. We are now going to allow connection to the PIX via Telnet – becaue the console can be a bit twichy in the GNS3 environment.

[box]

enable
{Password} <-blank be default
configure terminal
telnet 0.0.0.0 0.0.0.0 inside
passwd cisco <- sets telnet password to cisco
write men

[/box]

3. Now you can telnet to the PIX from another machine and copy the ASDM image from your TFTP server to the PIX.

[box]

enable
{Password} <-blank by default
copy tftp flash
{ip of the hosst running TFTP}
{filename of the asdm inage}
{Enter} to accept

[/box]

4. Once the file is copied over you need to let the Firewall know that its the one to use, turn on the internal http server and allow access.

[box]

enable
{Password} <-blank by default
conf t
asdm image flash:asdm-603.bin
http server enable
http 0.0.0.0 0.0.0.0 inside
write men

[/box]

The file will be copied over into the firewalls flash memory (Time for a coffee).

5. Now simply connect via the ADSM inteface – if your unsure how to do that see my article here

Using the information above you can present multiple network cards and clouds to the Virtual firewalls various interfaces (There are 5 interfaces on this firewall – its a PIX 525) – enjoy

NB Please dont email and ask me for PIX images and/or activation keys as refusal often offends – PL

Related Articles, References, Credits, or External Links

NA

VMware Error – HARDWARE _VITRTUALIZATION WARNING

KB ID 0000570 

Problem

Seen while installing vSphere ESX 5 (In this case, on a Dell Power Edge).

Warning(s)
<HARDWARE_VIRTUALIZATION WARNING: Hardware Virtualization is not a feature of the CPU, or it is not enabled in the BIOS>

Solution

Unless you have a “quite old” server, you simply need to enable “virtualization Technology” in the machines BIOS.

1. On this machine (Dell PowerEdge T410) enter the BIOS > Navigate to Processor Settings > Virtualization Technology > Set to Enabled.

Note: You can check Intel Processors for Virtualization Technology Support here, and for AMD Processors go here.

 

Related Articles, References, Credits, or External Links

NA

I’m Going on Holiday, What do I need to Disable on my iPhone?

KB ID 0000622 

Problem

Here in Europe the big mobile Telco’s are being forced to keep roaming prices down. But going abroad with all your data services turned on can mean you might come back to a big bill.

Solution

1. On most peoples phones “Data Roaming” is already disabled (Mines always off).Data Roaming is designed to let you use another provider’s phone network if your carrier signal is too weak. On some sites it says you cant use your phone abroad if you have this disabled I DISAGREE, I’ve got it disabled and I use my phone every time I’m out of the country?

Settings > General > Network > Data Roaming.

2. If you see ActiveSync and/or have mail pushed to your phone, you might want to also disable “Mobile Data” to stop that happening while your away.

Settings > General > Network > Mobile Data.

3. That’s Data stopped but your phone will still function as a phone. WARNING you may still be charged “call forwarding” if your phone rings and you let it go to answer phone while you are away. I don’t mind that, because I prefer to keep my phone on. If you want to disable the phone and text features as well, e.g. You Just want to use the Camera, iPod, and Alarm capabilities. Then just put the phone in Airplane mode, (which isn’t a word Apple! The word is Aeroplane!)

Settings > Airplane Mode.

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Adding Multiple VPN Devices to the Client

KB ID 0001011

Problem

If you connect to a lot of different firewalls, then constantly having to change the address you are going to can be a pain. Particularly if some clients don’t have a host name for their device, and you can’t remember everyone’s IP addresses.

Solution

I do this slightly different to most other people, I create a connection file for every endpoint I want to go to, because a) I can transfer them between machines as required, b) I can give them to my colleagues without having to give them connections to my private networks, and c) if a firewall admin ‘enforces’ policies on me, my connection files wont get destroyed.

1. On a newly deployed client, you can see I only have one entry, it remembers the last one I connected to, there is no connection profile saved yet, (they live in);

Windows 7/8/10

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Note: ProgramData is a hidden folder.

Mac OSX and Linux

/opt/cisco/anyconnect/profile

2. Download a blank custom connection file, and edit the two values below, (replace with your own connection name and host address or IP address).

3. Save the file into the folder we identified earlier.

4. Now you will need to restart the AnyConnect service. Windows Key+R > services.msc {Enter} > Locate and restart the ‘Cisco AnyConnect Secure Mobility Agent’ service.

5. Now you will have another entry.

What if I Want a Lot More AnyConnect Connection Entries?

Here’s where I differ from most, I will create a new XML file for every connection I want, Read other blogs and they will tell you to put them into the existing XML file like so;

Whichever method you choose is up to you.

Related Articles, References, Credits, or External Links

Original Article Written 20/10/14

Event ID 62464 ‘Source amdkmdag’

KB ID 0000613

Problem

My laptop has an annoying habit of ‘freezing” and requiring a manual power off and back on again to get it working (HP Probook 6560b).

A look in the system log yielded hundreds of event ID 62464 errors.

Log Name: System
Source: amdkmdag
Date: xx/xx/xxxx xx:xx:xx PM
Event ID: 62464
Task Category: DVD_OV
Level: Information
Keywords: Classic
User: N/A
Computer: xxxxxxxxx
Description:
UVD Information 

Solution

It seems I’m not the only one, a quick internet search turned up a few people with the same problem. However all the other posts were advocating disabling the logging of the error. I’m not a fan of disabling error logging no matter how ‘Spammy’ it is.

It’s obviously being generated by my graphics driver, so a look there told me what version I was running. (Start > Run devmgmt.msc {Enter}).

I went to HP and downloaded the latest published AMD driver they had, and rebooted, problem solved.

Related Articles, References, Credits, or External Links

NA

Event ID 36888

KB ID 0000634 

Problem

This was driving me nuts on my Windows 7 x64 Laptop.

Log Name: System
Source: Schannel
Event ID: 36888
Task Category: None
Level: Error
User: SYSTEM
Description:
The following fatal alert was generated: 10. The internal error state is 10.

I was getting a dozen of these an hour!

Solution

This error is caused (from what I can gather) by an error in certificate negotiation, your machine is trying to initiate communications with another machine/server using a certificate and TLS and the process is producing this error TLS1_ALERT_UNEXPECTED_MESSAGE (10).

1. If your browser is the cause of the problem, then simply open Internet Options > Advanced > Untick all the TLS options > Apply.

2. However this DID NOT WORK for me, so something is programmatically chatting from my laptop using TLS. The bottom line is, this problem is probably not even on your machine, so I’m simply going to disable SCHANNEL logging.

Note: If your Error does NOT say “The following fatal alert was generated: 10. The internal error state is 10“. then I would suggest NOT doing this.

3. In the search run box type regedit and navigate to the following key;

[box]
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > SecurityProviders > SCHANNEL
[/box]

Change the EventLogging value from 1 to 0 (that’s a zero).

Related Articles, References, Credits, or External Links

NA

Event ID 14029

KB ID 0000446 

Problem

Event ID 14029

Couldn’t find an Exchange 2010 or later public folder replica for the free/busy folder: EX:/O={your domain/OU={your administrative group}

The message is quite straight forward, Older Outlook clients (2003 and earlier) get their scheduling and calendaring info from the “SHEDULE+ free/busy” public folder. Newer Outlook clients (2007 and later) don’t need to do this.

You are seeing this error message because, a) you have Older Outlook clients in your Exchange org, or b) Someone forgot to replicate this public folder over to Exchange 2010 when you upgraded.

Solution

1. On the Exchange Management Console > Toolbox > Public Folder Management Console > Expand “System Public Folders” > Expand “SCHEDULE+ FREE BUSY” > Select the folder that’s generating the error > Right Click > Properties.

2. Replication tab > Add > Add in the Exchange 2010 Server > Apply.

3. Finally, either reboot the server, or restart the MSExchangeMailboxAssistant Service.

 

Related Articles, References, Credits, or External Links

NA

Event ID 12016

KB ID 0000292 

Problem

Event ID 12016

There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <domain>. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of <domain> should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task

Cause: One of the server installed certificates that has the “S” attribute (SMTP) has expired, If its the main certificate for the serve then you will need to replace it. However this is common on server that still have a copy of the certificate they self signed and used when exchange was first installed. So you are not using them anyway.

 

Solution

I’m assuming that the certificates that have expired are not the ones you are using in anger, lets make sure.

1. To see what certificates are being used for what. Launch “Exchange Management Shell” > Issue the following command;

[box] Get-ExchangeCertificate [/box]

2. Above you can see I’ve got three certificates and they all are being used for SMTP, lets make sure they are all in date.

3. Click Start > mmc {enter} > File > Add/Remove Snap-in > Certificates > Add > Select “Computer account” > Next > Accept the default of “Local computer” > Finish > OK > Expand Certificates > Personal > Certificates.

4. Look down the expiration date section and you can see which ones are out of date, compare this list to original one, and you can see which certificates need removing.

5. You can remove the expired certificated from here by right clicking > Delete.

6. OR, you can delete the certificates from within powershell with the following commandlet;

[box] Remove-ExchangeCertificate {thumbnail of certificate} [/box]

7. Then press Y and {Enter} to confirm.

8. Either when you are finished you should be looking more like this.

Note: Without an SMTP certificate with the FQDN of the server you may see Event ID 12014.

Error:

Microsoft Exchange couldn’t find a certificate that contains the domain name <name> in the personal store on the local computer. Therefore it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of <name>. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

You can simply create a self signed certificate with the FQDN of the server and import it, then set it for SMTP (Note: it WONT overwrite the one you are using). Or click here.

 

Related Articles, References, Credits, or External Links

NA