Thursday, March 21, 2013

Why friends don't let friends, buy cisco ASA firewalls

Here's a missed information, that consumers of cisco ASA don't realize. The ASA is a liscense hungry device & filled with restrictions.

Take this for example, & from a ASA5505 running 9.1.1-4;


-->
ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.


Okay so what does that really mean ?  Will 1st let's look at our  show version output;

 
Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted

Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1515Z135
Running Permanent Activation Key: 0x65285667 0x9c212c13 0x7c505978 0xbaecc4d4 0xc231aa90
Configuration register is 0x1


You notice the  DMZ restricted? Hmm....... I bet you didn't realize that.

Will let's look at cisco website and the ASA5505 as they currently list it on the side as of today 03/21/2013;

http://www.cisco.com/en/US/customer/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

I'm going to zero in on the cisco "gotcha", take alook at the interface counts and  for virtual as listed in the specifications. Look very  very  closely :)





Okay I will help out some, by highlighting the area ( see above ). It simply says 3 virtual-interfaces. No hint or warning about any type of restrictions. Let's look farther into what's on the cisco website;



No restrictions right ? Wrong !

So what about the based license, any clues in that? Will let's look at it?





 Nothing here either :(


The earlier posted warning,  is basically saying; " your screwed and because we ( cisco ) are  greedy and want to charge you for everything ". You have 3 interfaces ( virtually ) , but you can't use this as what most individuals would think or expect to use this as.


To wrap up my  post;


Here's my current virtual interfaces?


asaken# show ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.110.1   255.255.255.0   CONFIG
Vlan2                    outside                0.0.1.175     255.255.255.0   DHCP 
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.110.1   255.255.255.0   CONFIG
Vlan2                    outside                0.0..1.175     255.255.255.0   DHCP 
asaken#



route table;

Gateway of last resort is xx.xx.52.1 to network 0.0.0.0

C    192.168.110.0 255.255.255.0 is directly connected, inside

C    xx.xx.1.0 255.255.255.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via xx.52.1.1, outside
asaken# 


So I have a 2 interface model , a simple inside+outside on vlan1 and 2. So in order to create a 3rd interface, I can only create it with forwarding disable to one of the existing two.

asaken(config-if)# no forward interface ?

interface mode commands/options:
  Vlan  Catalyst Vlans
asaken(config-if)# no forward interface vlan 1
asaken(config-if)#



Okay fine, I picked my  outside  interface only, So inside can only speak to the outside and my newly crafted inside1 can only speak to the outside.

!
interface Vlan3
 description inside1
 no forward interface Vlan1
 nameif inside1
 security-level 100
 ip address 192.168.111.1 255.255.255.0 



Okay so now, I have my 3rd interface. And can configure rules, policy and so on. So now we can configure the rest of the unit, with the  exception that vlan1 and vlan3 would never talk. Let's explore that;

here's my  dhcp binding for  vlan1 and vlan3,


asaken# show dhcpd bind

IP address       Client Identifier        Lease expiration        Type

  192.168.110.2    0140.6c8f.0318.c4            3451 seconds    Automatic
  192.168.110.3    01c8.2a14.0567.78            3588 seconds    Automatic
  192.168.111.2    0140.6c8f.0318.c4            3516 seconds    Automatic
asaken# 


and route table;

Gateway of last resort is xx.xx.1.1 to network 0.0.0.0

C    192.168.110.0 255.255.255.0 is directly connected, inside
C    192.168.111.0 255.255.255.0 is directly connected, inside1
C    xx.xx.1.0 255.255.255.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via xx.xx.1.1, outside
asaken#


So if a person in vlan1 tries to ping a machine in vlan3;

Last login: Thu Mar 21 05:19:21 on ttys000KenENG009:~ kfelix$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
    ether 40:6c:8f:03:18:c4
    inet6 fe80::426c:8fff:fe03:18c4%en0 prefixlen 64 scopeid 0x4
    inet 192.168.111.2 netmask 0xffffff00 broadcast 192.168.111.255
    inet6 2001:db8::426c:8fff:fe03:18c4 prefixlen 64 autoconf
    inet6 2001:db8::ecd5:27ab:d636:ab62 prefixlen 64 autoconf temporary
    media: autoselect (100baseTX <full-duplex>)
    status: active


KenENG009:~ kfelix$ ping 192.168.110.3
PING 192.168.110.3 (192.168.110.3): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 192.168.110.3 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss


KenENG009:~ kfelix$ ping 192.168.110.2
PING 192.168.110.2 (192.168.110.2): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
cRequest timeout for icmp_seq 2
^C
--- 192.168.110.2 ping statistics ---
4 packets transmitted, 0
packets received, 100.0% packet loss



And this is regardless if we have the same security zone or even allow inter-zone traffic

asaken# show run int vlan 1 | i security
 security-level 100
asaken# show run int vlan 3 | i security
 security-level 100
asaken# show run sma                   
asaken# show run sam
asaken# show run same-security-traffic
same-security-traffic permit inter-interface
asaken# 


What I found out that's happening; the  firewall NAT's you thru, even tho you would not expect this activity;

asaken# show xlate  interface inside1
19 in use, 441 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
ICMP PAT from inside1:192.168.111.2/55319 to outside:xx.xx.1.175/55319 flags ri idle 0:00:02 timeout 0:00:30
ICMP PAT from inside1:192.168.111.2/54807 to outside:xx.xx.1.175/54807 flags ri idle 0:00:04 timeout 0:00:30



So plan accordingly if your going to buy a cisco ASA product. You will run into hurdles and limitations. Cisco main goal as I see it;

  •  is for you to forklift into a bigger chassis 
or
  •  purchase some type of license-enhancement upgrade

Ken Felix
Freelance Network/Security Engineer
kfelix at hyperfeed  d-o-t com

Friends don't let friends buy ASA :)






No comments:

Post a Comment