By Peter Hadač
This article is all about how to prepare ASA 8.4 in GNS3 simulation (on Windows 10, but compatible with other OS ) using QEMU.
Initial state and observed problems
Observed problems
We had observed a problem, where a SIP phone is registering, but the AOR record indicates, that as a Contact IP address the incorrect and strange private IP address is used. As is shown on following listing:
voip*CLI> pjsip show aor 1765Aor: <Aor..............................................> <MaxContact>Contact:Aor: 1765 1 Contact: 1765/sip:1765@10.16.42.46:65476 f123d14d1c NonQual nanParameterName : ParameterValue ================================================= authenticate_qualify : false contact : sip:1765@10.16.42.46:65476 default_expiration : 7200 mailboxes : max_contacts : 1 maximum_expiration : 7200 minimum_expiration : 60 outbound_proxy : qualify_frequency : 0 qualify_timeout : 3.000000 remove_existing : true support_path : false voicemail_extension :
This cause a problem, where incoming phone calls (call on 1765 number) are not reaching the SIP phone. We had tried to solve the situations on the phone only modifying its NAT configuration and using STUN, but with no success. Then we setup the lab with two Cisco NAT to simulate the topo. It works perfectly. This indicate on a problem with the Fortigate firewall. Several posts indicates that it could be the SIP ALG problem, which is on Fortigate devices turned on by default and it modifies SIP messages.
In this post we describe how to run Fortigate FW VM appliance inside of the GNS3 (local or remote).
Prerequisities and environment
- GNS3
- In my case of version 2.1.1 running on a remote linux server (physical HW, not GSN3 VM).
- In my case FortiGate for KVM platform Version 6.2.
- Download from HERE using Fortigate.ONE account (may create for free).
- Download from HERE.
Note: FortiGate VM evaluation license
FortiGate VM includes a limited embedded 15-day trial license that supports:
This example shows how to generate 254 loop interfaces with assigned ipv4 addresses 172.16.0.1/24 up to 172.16.255.1/24. The code is:
enable
tclsh
for {set i 0} {$i < 256} {incr i} {
ios_config "int loop $i" "ip address 172.16.$i.1 255.255.255.0"
}
ios_config "end"
tclquitand you may just simply copy and paste it into a Cisco router CLI. Therefore first run tclsh within of privileged EXEC mode
Eset AV sometimes prevents to run and install some applications, for example microtorrent client or virtualbox extension pack. If the AV pausing does not help, there is an option to kill the AV process using a standard way (using the task manager). However, Eset AV has enabled by default a Self-defense feature preventing to do that.
Therefore to be able to kill the process this feature has to be disabled. To do that follow:
Once if we are allowed download zipped version of ccna curriculum (for example as an netacad instructor) we should be able run them locally without web server need. However there is a problem to display these curriculums by default as it contain embeded flash animation. This problem persists in different browsers (firefox, chrome, epiphany) for example.
In this article I will configure dynamic complex ACL (Lock and Key). This technique is described during CCNA4 Exploration.
About Lock and Key
Description from the cisco web
web: http://www.secdev.org/projects/scapy/
Licence: free?