GNS3 – Use Pemu as your Personal Firewall
Posted by Josh on Sat 31 May 2008Categories: Cisco , GNS3 , PEMU - [19] Comments
Since I discovered Dynamips and Pemu, I have been trying to figure out a way to test Pix configurations with a single PC running Windows XP. The real trick has always been communicating with the virtual Pix. With Linux, it was not a problem but Windows has always been another story until I recently figured out how to communicate with pemu using GNS3.
After completing this tutorial, you will be able to send traffic from the loopback interface on your PC through the virtual Pix and out the ethernet interface on your PC.
Now, before anyone starts sending me emails and spamming the comments, let me say that this is for testing purposes only. Do not be confused by the title of this blog post.
June 5th, 2008 at 4:58 am
[...] These labs were built based on BlindHogs’ Use Pemu as your Personal Firewall [...]
June 13th, 2008 at 11:28 pm
Excellent video – thanks a lot
I can get to the asdm of my pix but cant get internet traffic to go via my pix. When I take the DG off my LAC i cannot get any web pages. My DG is a local ip address of my adls router. I can ping my local pc (192.168.0.2) hosting the virtual pix (192.168.0.5) but i cant ping the adsl router from the pix? Do i need to any static routes to my client or PIX? Any idead
Many Thanks
Colin
June 17th, 2008 at 8:11 pm
[...] These labs were built based on BlindHogs’ Use Pemu as your Personal Firewall [...]
July 29th, 2008 at 4:44 pm
Hello: I can use PEMU fine on GNS3 however, i notice the CPU utilization is around 50%. Any way to bring the utilization down when running PEMU?
July 29th, 2008 at 5:01 pm
Never mind, I found out that it is a normal behaviour for 7.2 image… Thanks
December 9th, 2008 at 1:54 am
Hi,
I’ve got this configuration up and running, many thanks for the vidioe. I am how ever unable to create a hole to allow access to my webserver from outside..has anyone else had the same issue?
I use the following configuration which should work…
Boomerang(config)# access-list WEBIN extended permit tcp any any eq 81 log
Boomerang(config)# access-group WEBIN in interface outside
static (inside,outside) tcp interface 81 10.0.0.1 81 netmask 255.255.255.255
December 17th, 2008 at 11:23 am
Hello,
A very good job. Can this be done with Dynamips?
Thanks.
December 26th, 2008 at 7:12 am
Hi tried in vain to get this to work.
Seems I cannot ping my pc from pix or pix from pc. No connection.
I can setup a router and ping that but the pix never works.
Please help.
Firewall on windows is switched off. I just dont know why it wont work. I follwed instructions, but when it comes to the pinging it fails.
December 27th, 2008 at 3:27 pm
Duxbuz,
You may need to permit icmp on the pix.
Take a look at this link .
Josh
February 3rd, 2009 at 11:47 am
Hi,
Someone have tested this with xp sp3, is it still working?
I’ve tried on a French system but it doesn’t work. I can’t select the loopback from the cloud. Yes I added the lookback interface from the hardward wizard.
Need help please, thx
Fred
February 6th, 2009 at 12:35 pm
I have tried this also and can’t get to the Internet. How does the PIX know how use the default gateway? How does the internet router talk to the PIX?
February 7th, 2009 at 2:38 pm
Hi,I can ping inside and outside pix interfaces from my PC (10.1.1.1) but I can’t ping my internet gateway(192.168.0.1) just like Colin in second post.This is my runing-config:
PIX Version 8.0(3)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.5 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging flash-bufferwrap
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
username adam password ObtzdGKt8ALC6fhn encrypted privilege 15
!
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect icmp
….and show route:
Gateway of last resort is 192.168.0.1 to network 0.0.0.0
C 10.1.1.0 255.255.255.0 is directly connected, inside
C 192.168.0.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside
I Need help, thx
pixar
April 2nd, 2009 at 7:17 am
troubleshooting guide:
1. icmp no reply ==>windows firewall, default, no reply icmp packet for its NIC
2. issues command:
pixfirewall # show asp drop
Frame drop:
Flow is denied by configured rule 63
First TCP packet not SYN 2
TCP data exceeded MSS 7668
Interface is down 2
===> packets drop byTCP data exceeded MSS
===> search Google, find thishttp://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
===to MPF Configuration to Allow Packets that Exceed MSS
April 2nd, 2009 at 7:26 am
PIX/ASA 7.X Issue: MSS Exceeded – HTTP Clients Cannot Browse to Some Web Sites
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804c8b9f.shtml
May 7th, 2009 at 9:59 am
Hi,
i am new for gns3, can some one help me regarding below issue.
i am unalbe to delet pix link in gns3 getting “pemuwrapper does not support removal” error, please help me in this as i am new for gns3.
Regards,
AteeQ
September 3rd, 2009 at 10:20 am
Hello,
Having the same problem as the the people above. Using PIX 8.0(3) followed the instructions. I can ping internally but can’t ping the internet. My external gateway is 192.168.1.1 and I set my internal network to 10.1.1.1 . Not sure If I have the setting correct :/. Any help would be appreciated. Here is what I typed into PIX:
pixfirewall> en
Password:
pixfirewall# config t
pixfirewall(config)#
pixfirewall(config)# hostname peppi-pix
peppi-pix(config)#
peppi-pix(config)# domain-name peppi.net
peppi-pix(config)#
peppi-pix(config)# show run
: Saved
:
PIX Version 8.0(3)
!
hostname peppi-pix
domain-name peppi.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name peppi.net
pager lines 24
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
peppi-pix(config)# int e0
peppi-pix(config-if)#
peppi-pix(config-if)# no shut
peppi-pix(config-if)#
peppi-pix(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
peppi-pix(config-if)#
peppi-pix(config-if)# ip address 192.168.1.148 255.255.255.0
peppi-pix(config-if)#
peppi-pix(config-if)# int e1
peppi-pix(config-if)#
peppi-pix(config-if)# no shut
peppi-pix(config-if)#
peppi-pix(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
peppi-pix(config-if)#
peppi-pix(config-if)# ip address 10.1.1.1 255.255.255.0
peppi-pix(config-if)#
peppi-pix(config-if)# route outside 0.0.0.0 0.0.0.0 192.168.1.1
peppi-pix(config)#
peppi-pix(config)# nat (inside) 1 10.1.1.0 255.255.255.0
peppi-pix(config)#
peppi-pix(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
peppi-pix(config)#
peppi-pix(config)# wr mem
Building configuration…
Cryptochecksum: 1afbcdd2 6b9d18ee 7655cc19 154b01cb
1589 bytes copied in 5.770 secs (317 bytes/sec)
[OK]
peppi-pix(config)#
peppi-pix(config)# ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/40 ms
peppi-pix(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
peppi-pix(config)# ping 192.168.1.148
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.148, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
peppi-pix(config)# ping 192.168.1.170
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.170, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
peppi-pix(config)# ping 192.168.1.177
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.177, timeout is 2 seconds:
?????
Thanks again.
September 3rd, 2009 at 11:54 am
Update ok stupid me, looks like when I changed the values in the ethernet cards (loopback and the real card) you need to reboot your machine. Hope this helps someone.
October 5th, 2009 at 12:36 pm
I have same problem as comment 2 and 12. I can’t ping default gateway ?????? And the traffic is not passing through pix.
Please help!!!
October 29th, 2009 at 7:31 pm
Hi Josh,
as like a lot of others i am having the same problem, i cannot connect to the default gateway which is my router’s ip address.