ASDM with ASA image on GNS3

So, I’m a command-line guy, but when it comes to the ASA and the Cisco SNPA CCSP exam, I will need some ASDM knowledge and experience. I use GNS3 and QEMU to emulate the Cisco ASA hardware. While the CLI works great, I could not get my XP box to play nice with ASDM.

When attempting to launch ASDM, no matter which version of ASDM and ASA IOS that you run, you get an error stating: “You’re ASA has a version number 8.0(2) which is not supported by ASDM 6.2(1)”. After much hair pulling, I finally tripped across a blog article that explains how to get ASDM working with ASA emulated hardware in GNS3.

The problem is that the ASDM client software is comparing the hardware ID string send by the http server on the ASA with it’s “ASDM is known to be compatible with” information. The emulated ASA hardware has the Hardware ID left blank (null) by default, as seen here in the output from show ver:

Notice that the hardware identifier is blank. So, according to this excellent forum post response, when then ASA sends the HTTPS response to the ASDM client request, the HW ID field is null. A piece of software called “Fiddler2″ (Windows only) can act as a proxy and modify the ASA http response payload and replace the null field with an ASA model number. This will let the ASDM client software know that the ASA is indeed running an IOS version with which it is compatible.

From the forum response, here is how to configure Fiddler2 and JRE to use Fiddler2 as a proxy:

• Download fiddler from http://www.fiddlertool.com/fiddler/
  Set fiddler to decode HTTPS: fiddler –> tools –> fiddler options –> https –> check ‘decrypt https traffic’
• Download this file: fiddler.CustomRules.js, open it in notepad, CRLT-A to highlight all and then CTRL-C to copy the highlighted text.
• In the Fiddler Menu Bar, click RULES –> Customize Rules
  CTRL-A to highlight the entire file then CTRL-V to paste our new rules into the file. Close and Save the file.
• Then, point your JRE to use localhost:8888 for http and https connections:
  Control panel –> java –> network settings –> use proxy server localhost:8888 –> advanced –> use same proxy for all protocols

Start the ASA QEMU
Start Fiddler
Start ASDM and connect to the mgmt IP of the ASA (not the fiddler !)

Assuming you have set up ASDM access properly on the ASA, the error goes away and works like a champ!

28 Responses to “ASDM with ASA image on GNS3”

1. Pierrek says:

   July 13, 2010 at 7:35 pm

   Thanks a lot works perfectly ,
2. capricorn says:

   July 24, 2010 at 7:38 am

   any help un my case > http://www.gns3.net/phpBB/topic2349.html

   Regards
3. moog says:

   August 8, 2010 at 3:39 am

   THANK U ,GOD BLESS YOU
   THANK U ,GOD BLESS YOU
   THANK U ,GOD BLESS YOU
   THANK U ,GOD BLESS YOU
4. Sharabi says:

   August 12, 2010 at 6:54 am

   Thank you very much it works perfectly
5. Jeronimo says:

   September 26, 2010 at 10:26 am

   Thank you very very much. ASDM 6.3 works like a charm with ASA 8.0
6. Waleed says:

   October 16, 2010 at 5:23 am

   Thanks you, it’s works for me.
7. opsie says:

   October 23, 2010 at 6:33 am

   I need ASA software for gns3 with pix ios for some configuration. Am due for my snaf tuesday 26 oct 2010. al help required asap.
8. opsie says:

   October 23, 2010 at 6:36 am

   its my last exam in the ccsp track. i ned all the help on pix n asa that i can find.
   any one on ios software on gns3 (pix, asa?)
9. Rasangika says:

   October 27, 2010 at 6:15 am

   thanks a lot!
10. Yamil says:

    November 13, 2010 at 10:04 pm

    I work !!!!!

    I Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks Thanks
11. naz says:

    November 14, 2010 at 12:35 am

    thanx buddy, it works great
12. ibog says:

    November 17, 2010 at 9:57 am

    Thanks, its working fine.. !!
13. luckyayo says:

    January 12, 2011 at 3:24 am

    Thanks so much, works great so far, but I am now getting the following error:

    ciscoasa(config-if)# no shutdown
    Failed to change interface status: cannot get channel

    Do you have any ideas on whats wrong?

    Many thnaks
14. Aaron Hackney says:

    January 12, 2011 at 7:32 am

    Hello. Sure, I have ran into that as well. It means that you are not emulating the correct network card. The card that works for me is the e1000. Any other card emulation gives me the error that you describe. This is set in the preferences of QEMU. Good luck!
15. luckyayo says:

    January 12, 2011 at 10:54 am

    Thanks Aaron,

    I have my PIX firewall up and running with the e1000. I can get the ASA to work with the e1000 by issuing the following commands during the first start:

    #modprobe e1000
    #ifconfig eth0 up
    #ifconfig eth1 up
    #ifconfig eth2 up
    #ifconfig eth3 up
    #ifconfig eth4 up
    #ifconfig eth5 up
    #cp /asa/bin/lina /mnt/disk0/lina
    #cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
    #cd /mnt/disk0
    /mnt/disk0/lina_monitor

    The problem occurs after I format my flash for it to allocate the correct size to disk0:.
    Once the ASA is restarted it does not go into the qemu prompt for me to issues the above commands, but goes straight to the “ciscoasa>” prompt.

    Therefore it loads the ios without the interfaces first being initialized. If I delete the flash and reload the ASA it works fine, but if I format the flash , I am back to the same problem.

    I hope all this makes sense.Any ideas?

    Thanks again.
16. Aaron Hackney says:

    January 12, 2011 at 10:57 am

    You should have included those commands in a script when you split and built your ASA images. If you are using an image your downloaded from someone, they probably missed that step.
17. luckyayo says:

    January 13, 2011 at 3:50 am

    Thanks Aaron. I think you are right, those were my thoughts also, makes absolute sense. Do you have a working kernel and initrd file for the asa?

    Thanks
18. Papa Jim says:

    January 15, 2011 at 10:54 pm

    Hi – I have followed this procedure a dozen times but continue to get the “ASA image not supported by ASDM” error when I try to run ASDM from the intro web screen. I have tried various versions of the Fiddler script from a number of sites. I have tried a number of different Java versions and I have tried a number of different ASDM versions. My CLI access to the ASA in GNS3 works fine. Anyone have any suggestions?
19. Rudy says:

    January 17, 2011 at 9:26 am

    Thanks a lot
20. Majid says:

    January 26, 2011 at 2:48 am

    Hi
    I have the same problem which Papa Jim had. Any suggestions ???
21. pazmanpro says:

    February 22, 2011 at 9:21 am

    @Papa Jim and @Majid

    Double check that fiddler is set to decode HTTPS. If you don’t check this, it won’t work.
22. Huan Nguyen says:

    February 27, 2011 at 8:45 pm

    Thanks U about this article! I has done
23. CC-AStrix says:

    March 9, 2011 at 4:52 am

    You are a Legend !!!!!
24. QBoro says:

    March 10, 2011 at 2:41 am

    same errors as @Papa Jim and @Majid…trying ADSM 6.3..see if it works
25. Junaid says:

    April 11, 2011 at 6:59 am

    Thanks Alot.. for those who specially upgraded their asdm versions from 5.21 to 6.3 in ASA dont forget to add them in running config….
26. Jatin Pande says:

    April 20, 2011 at 2:56 am

    thank you very much. its working fine
27. rabzy says:

    September 9, 2011 at 5:21 am

    Hello guys i have double check the fiddler and java. but it returns the error (unable to launch asdm from 10.10.10.1. unable to tunnel through proxy. proxy returns “HTTPS/1.1 502 connection failed
28. ioncube decoder says:

    December 21, 2011 at 5:57 am

    Fantastic web site. Lots of helpful information here. I am sending it to a few friends ans additionally sharing in delicious. And certainly, thanks in your effort!