ronsun

近来网上有人开始用Qemu来运行ASA8.02，闲着没事，咱也来DIY一把。首先从网卡下载asa802-k8.bin，大概14M吧。然后进入到linux系统，虚拟的也行。
步骤：
# hexdump -C asa802-k8.bin > asa802-k8.hd
# grep "1f 8b 08 00 1d" asa802-k8.hd
001228b0 1f 8b 08 00 1d 3d 73 46 00 03 ec 3a 6d 54 14 57
# ls -la asa802-k8.bin
-rw-r--r-- 1 ftp wheel 14524416 9 Aug 09:25 asa802-k8.bin
# perl -e '$x=14524416-0x1228b0;print "$x\n"'
13334352
# tail -c 13334352 asa802-k8.bin > asa802-k8.gz
# gzip -d asa802-k8.gz
# cpio -i --make-directories < asa802-k8   --no-absolute-filenames
cpio: Removing leading `/' from member names
...
cpio: Removing leading `/' from member names
61039 blocks
# rm asa802-k8
在bin（刚才解压出一的bin）目录下新建一文件比如叫myasa802，把下面内容贴进去：
       modprobe e100
       ifconfig eth0 up
       ifconfig eth1 up
       ifconfig eth2 up
       ifconfig eth3 up
       ifconfig eth4 up
       ifconfig eth5 up
       cd /mnt/disk0/
       /asa/bin/lina_monitor
       #vi myasa802
#chmod a+x myasa802
然后编辑rcS.common文件，在最后加上一句 /bin/myasa802用来在系统启动时调用myasa802。
# vi rcS.common
编辑后保存（shift+z+z）
# file asa/bin/lina
asa/bin/lina: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.3, dynamically linked (uses shared libs), stripped
# mv etc/init.d/rcS etc/init.d/rcS.bak
# sed -e 's/# l/\/bin\/sh # l/' etc/init.d/rcS.bak > etc/init.d/rcS
# chmod 755 etc/init.d/rcS
# find . | cpio -o -H newc | gzip -9 > asa802.gz
61040 blocks
把刚才生成的asa802.gz拷贝出来，放到qemu-0.9.0-windows.zip解压出来的目录中，注意，要用最新的Qemu，否则不能正常运行，建议用http://7200emu.hacki.at/viewtopic.php?t=2187&postdays=0&postorder=asc&start=90中的文件替换掉解压后目录中的qemu文件。如果没有看到可以下载的附件，请注册并登录。该版本支持pcap。
或者下载附件中的文件也可
用下面命令启动：
@echo off
setlocal
set command_name= qemuPCAP -L . -hda FLASH -hdachs 980,16,32 -kernel vmlinuz -initrd asa802.gz -m 256 --no-kqemu
set parameter= -append "auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32"
set nic1=-net nic,vlan=0,model=i82557b,macaddr=00:aa:00:00:02:01 -net pcap,vlan=0,ifname=\Device\NPF_{D887406D-552A-43EA-8409-5FE8FB4E4940}
set nic2=-net nic,vlan=1,model=i82557b,macaddr=00:aa:00:00:02:02 -net pcap,vlan=1,ifname=\Device\NPF_{A269B029-B7A8-4371-BD33-8CD4346C6C17}  
set nic3=-net nic,vlan=2,model=i82557b,macaddr=00:aa:00:00:02:03 -net pcap,vlan=2,ifname=\Device\NPF_{3AF59A0B-539A-4FE5-A4DE-27E93BA396DB}
set options=-serial [url=telnet::1007,server,nowait]telnet::1007,server,nowait[/url]
%command_name% %parameter% %nic1% %nic2% %nic3% %options%  
上面是一个批处理文件中的内容， 用到的FLASH文件，可以用Linux生成（dd if=/dev/zero of=FLASH bs=1k count=16k），也可以用VMWare生成的VMDK文件。如果是新硬盘文件，还需要分区并格式化，分区用fdisk命令后，按菜单提示操作，格式化分区、挂载分区：
mkdosfs -F 16 /dev/hda1
mount -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0
双击后运行，可直接进入到ASA的界面如下：
Freeing initrd memory: 12912k freed
NET: Registered protocol family 16
PCI: PCI BIOS revision 2.10 entry at 0xfa110, last bus=0
Setting up standard PCI resources
PCI: Probing PCI hardware
PCI quirk: region b000-b03f claimed by PIIX4 ACPI
PCI quirk: region b100-b10f claimed by PIIX4 SMB
PCI: Using IRQ router PIIX/ICH [8086/7000] at 0000:00:01.0
PCI: Ignore bogus resource 6 [0:0] of 0000:00:02.0
NET: Registered protocol family 2
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 8192 bind 4096)
TCP reno registered
Total HugeTLB memory allocated, 0
bigphysarea: Allocated 16384 pages at 0xe0000000.
Initializing Cryptographic API
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
Limiting direct PCI/PCI transfers.
PCI: PIIX3: Enabling Passive Release on 0000:00:01.0
Activating ISA DMA hang workarounds.
Serial: 8250/16550 driver $Revision: #2 $ 4 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16450
loop: loaded (max 8 devices)
pcnet32.c:v1.32 18.Mar.2006 tsbogend@alpha.franken.de
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: QEMU HARDDISK, ATA DISK drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: max request size: 512KiB
hda: 32768 sectors (16 MB) w/256KiB Cache, CHS=980/16/32
hda: cache flushes supported
hda: hda1
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Using IPI Shortcut mode
Freeing unused kernel memory: 116k freed
FAT: "posix" option is obsolete, not supported now
TIPC: Activated (compiled May  2 2007 15:38:08)
NET: Registered protocol family 30
TIPC: Started in single node mode
TIPC: Started in network mode
TIPC: Own node address <1.1.1>, network identity 1234
TIPC: Enabled bearer <eth:tap0>, discovery domain <1.1.0>, priority 10
e100: Intel(R) PRO/100 Network Driver, 3.5.10-k2-NAPI
e100: Copyright(c) 1999-2005 Intel Corporation
PCI: Found IRQ 11 for device 0000:00:03.0
e100: eth0: e100_probe: addr 0xf2001000, irq 11, MAC addr 00:AA:00:00:02:01
PCI: Found IRQ 9 for device 0000:00:04.0
e100: eth1: e100_probe: addr 0xf2040000, irq 9, MAC addr 00:AA:00:00:02:02
PCI: Found IRQ 11 for device 0000:00:05.0
IRQ routing conflict for 0000:00:01.3, have irq 9, want irq 11
e100: eth2: e100_probe: addr 0xf2080000, irq 11, MAC addr 00:AA:00:00:02:03
e100: eth0: e100_watchdog: link up, 100Mbps, full-duplex
e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex
e100: eth2: e100_watchdog: link up, 100Mbps, full-duplex
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
Processor memory 162791424, Reserved memory: 20971520 (DSOs: 0 + kernel: 20971520)
Guest RAM start: 0xd5800080
Guest RAM   end: 0xddc00000
LINA unit number: 1
Guest RAM   brk: 0xd5801000
MKDIR failed No such file or directory for /var/log/
Welcome to LINA - ( F1-on-Linux platform ) desktop version!
    ********************************************************************
    *  WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING *
    *                                                                  *
    *  This product is for Cisco internal use ONLY!!!                  *
    *                                                                  *
    *  WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING *
    ********************************************************************
   
i2c_read_byte_w_wait() error, slot = 0x4, device = 0xb0, address = 0 byte count = 1. Reason: I2C_SMBUS_UNSUPPORT
Total SSMs found: 0
Ignoring PCI card in slot:0 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:1 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:2 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:3 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:4 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:5 (vendor:0x0 deviceid:0x0)
Ignoring PCI card in slot:6 (vendor:0x0 deviceid:0x0)
Total NICs found: 6
eth0 mapping
        Interrupt: 11 Base address:000
        Memory: f2001000-f2001fff
ifr.ifr_ifindex 4
ioctl (SIOCGIFADDR): Cannot assign requested address
le_open: got the fd: 9, name: eth0
LINA guest interface 0: Linux host ethdev: eth0
     linaeth Ethernet at irq  0  MAC: 00aa.0000.0201
eth1 mapping
        Interrupt: 9 Base address:0x0
        Memory: f2040000-f2040fff
ifr.ifr_ifindex 5
ioctl (SIOCGIFADDR): Cannot assign requested address
le_open: got the fd: 10, name: eth1
LINA guest interface 1: Linux host ethdev: eth1
     linaeth Ethernet at irq  0  MAC: 00aa.0000.0202
eth2 mapping
        Interrupt: 11 Base address:0x0
        Memory: f2080000-f2080fff
ifr.ifr_ifindex 6
ioctl (SIOCGIFADDR): Cannot assign requested address
le_open: got the fd: 11, name: eth2
LINA guest interface 2: Linux host ethdev: eth2
     linaeth Ethernet at irq  0  MAC: 00aa.0000.0203
Error in ioctl SIOGIFINDEX
Failed to open linaeth for interface 3 - verify the support in kernel
     
Error in ioctl SIOGIFINDEX
Failed to open linaeth for interface 4 - verify the support in kernel
     
Error in ioctl SIOGIFINDEX
Failed to open linaeth for interface 5 - verify the support in kernel
     
INFO: Unable to read firewall mode from flash
       Writing default firewall mode (single) to flash
WARNING: Unable to write firewall mode to flash, this is normal if flash is
         not formatted.
  --------------------------------------------------------------------------
                                 .            .                             
                                 |            |                             
                                |||          |||                           
                              .|| ||.      .|| ||.                          
                           .:||| | |||:..:||| | |||:.                       
                            C i s c o  S y s t e m s                        
  --------------------------------------------------------------------------
Cisco Adaptive Security Appliance Software Version 8.0(2)
Cannot open interface card (media_ethernet/port/id/3)
pix_idb_create: Unable to get link capabilities 3
pix_idb_create: Unable to get nic_stats for port 3
Cannot open interface card (media_ethernet/port/id/4)
pix_idb_create: Unable to get link capabilities 4
pix_idb_create: Unable to get nic_stats for port 4
Cannot open interface card (media_ethernet/port/id/5)
pix_idb_create: Unable to get link capabilities 5
pix_idb_create: Unable to get nic_stats for port 5
  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.
  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by
  sending email to export@cisco.com.
  ******************************* Warning *******************************
Copyright (c) 1996-2007 by Cisco Systems, Inc.
                Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706
i2c_read_byte_w_suspend() error, slot = 0x4, device = 0xb0, address = 0 byte count = 1. Reason: I2C_SMBUS_UNSUPPORT
i2c_read_byte_w_suspend() error, slot = 0x4, device = 0xb0, address = 0 byte count = 1. Reason: I2C_SMBUS_UNSUPPORT
Failed to change interface status: cannot get channel
*** Output from config line 25, "interface Ethernet0/3"
Failed to change interface status: cannot get channel
*** Output from config line 26, " shutdown"
Failed to change interface status: cannot get channel
*** Output from config line 31, "interface Ethernet0/4"
Failed to change interface status: cannot get channel
*** Output from config line 32, " shutdown"
Failed to change interface status: cannot get channel
*** Output from config line 37, "interface Ethernet0/5"
Failed to change interface status: cannot get channel
*** Output from config line 38, " shutdown"
.
Cryptochecksum (unchanged): a44f5bfb 92783dc7 3e6365ce d24cb567
Type help or '?' for a list of available commands.
asa802>

特别说明，在asa802.gz的制作过程中，加入了一个启动时执行的脚本myasa802，不然，每次启动lina_monitor之前都得写一堆命令，烦，累。
附件为我制作好的asa802.gz及FLASH、mmm123的支持pcap的Qemu文件，该FLASH文件中包含了asdm602.bin，虽然现在运行ASDM还有问题，但以后会用得到。
感谢锅巴粥，感谢mmm123等。
另：vmlinuz漏了，现在补上。

小漏

三侠又出经典文章

ronsun

为人民服务

ice.man

FLASH问题啥时候可以解决捏?

这个貌似不能做CONTEXT喔..

mono'xide

厉害。。赞一下先

ccsr

我也感谢你，兄弟！

syutou

mmm123的支持pcap的Qemu文件
很稳定!!!

colone

风尘三侠:
  你太牛了,小弟仰慕!!!
   可小弟想问你的vmlinuz和 -initrd 是从哪里来的?怎么来的?是不是没有写详细,你用的是那个linux系统,我用红旗桌面版6.0的可以吗,支持这些命令吗?(红旗4.0的不支持,已经试过了).谢谢!

小漏

引用:

原帖由 colone 于 2007-12-6 09:12 发表
风尘三侠:
  你太牛了,小弟仰慕!!!
   可小弟想问你的vmlinuz和 -initrd 是从哪里来的?怎么来的?是不是没有写详细,你用的是那个linux系统,我用红旗桌面版6.0的可以吗,支持这些命令吗?(红旗4.0的不支持,已经试过了) ...

vmlinuz是从asa的ios中提取出来的
看这里关于如何解压cisco asa ios的

http://ers.msk.ru/cisco/asa8-ls-lR.html

ronsun

引用:

原帖由 colone 于 2007-12-6 09:12 发表
风尘三侠:
  你太牛了,小弟仰慕!!!
   可小弟想问你的vmlinuz和 -initrd 是从哪里来的?怎么来的?是不是没有写详细,你用的是那个linux系统,我用红旗桌面版6.0的可以吗,支持这些命令吗?(红旗4.0的不支持,已经试过了) ...

vmlinuz文件已经补上。我用的是Redhat9，其它没试过。
另：是别人牛，如锅巴粥、mm123，我是加一点东西，总结一下而矣。

[ 本帖最后由 ronsun 于 2007-12-6 12:16 编辑 ]

colone

非常谢谢 风尘三侠!
这个论坛有了你们而精彩!!!

cbscbi

have a

mengkouhong

请问配置为什么不能保存啊????

colone

引用:

原帖由 mengkouhong 于 2007-12-7 16:17 发表
请问配置为什么不能保存啊????

我的一台电脑可以保存,但把它完全复制到另外一台机器,也出现不能保存,
一启动就需要配置,里面根本和楼主的flash配置不一样,但我明明是用他的flash文件.


不知是qemu问题,还是电脑问题?郁闷!!!

colone

引用:

原帖由 ice.man 于 2007-12-5 15:21 发表
FLASH问题啥时候可以解决捏?

这个貌似不能做CONTEXT喔..

楼上,请发一些有关asa做context文章,pix7x的我看了,但不是很明白怎样用???

感谢!

colone

老兄,还是风尘三侠,牛呀,
你保存需要用copy run disk0:/.private/startup-config
提示覆盖,确认,虽然能出错,但也可以保存.

但是我想问问,风尘三侠,我自己做的asa802.gz为什么不能启动lina_monitor呢?
它提示error opening /dev/mem 出错,然后就restart system

我不知道是不是在做find . |   cpio -o -H newc | grep ...(命令忘记了,途中显示有新的bytes没有copy进去,是不是这里的问题???)

还是风尘三侠版主的做的很好,直接就启动asa802,爽!

wenhao_lu

总之都是很牛的人!简称"牛人"

huangsong

谢谢版主分享安装经验！！！

bighead_cyj

呵呵 ！很棒啊！
不过，这个看似很复杂啊！能不能像PIX一样，在WIN XP 的环境下实现呢？

小漏

引用:

原帖由 bighead_cyj 于 2007-12-10 10:40 发表
呵呵 ！很棒啊！
不过，这个看似很复杂啊！能不能像PIX一样，在WIN XP 的环境下实现呢？

可以滴