Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 02-12-2013, 11:57 AM   #1
azev
Golden Member
 
Join Date: Jan 2001
Posts: 1,003
Default Locating Firewall in a large network

I am curious if anyone here knows of an easy way to identify a cisco firewall within a network without having any diagram or any information about the network.

I use CDP to identify most of the network devices connected to a switch, router, etc, but unfortunately no cdp/lldp can be enabled on asa.

Other than using the firewall mac address and then hunt for where that mac resides, is there a better way to do this ?
azev is offline   Reply With Quote
Old 02-12-2013, 12:21 PM   #2
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,787
Default

On those you have to search via MAC address. If you have Cisco works or Cisco Prime you can execute a network wide search for it also. Make sure to search inside the proper vlan also since MAC is not routeable.
imagoon is offline   Reply With Quote
Old 02-12-2013, 03:34 PM   #3
mparr1708
Senior Member
 
Join Date: Jan 2005
Posts: 258
Default

I'd probably use NMAP. With that you can at least identify it as a Cisco device. Most everything else Cisco supports CDP so you can use process of elimination to figure out which is the ASA.

Also, once you narrow it down you can just enter the ip address into a browser using https. If the firewall admin didn't turn it off, you should see a landing page asking you to download ASDM. If you see that you are hitting an ASA.
mparr1708 is offline   Reply With Quote
Old 02-12-2013, 04:45 PM   #4
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,787
Default

Quote:
Originally Posted by mparr1708 View Post
Most everything else Cisco supports CDP
ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.
imagoon is offline   Reply With Quote
Old 02-12-2013, 11:24 PM   #5
Lithium381
Lifer
 
Lithium381's Avatar
 
Join Date: May 2001
Location: Bay Area, CA
Posts: 12,466
Default

You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..




you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .
__________________
"This action has caused a division of the people into classes: Those the government deems valuable enough to protect with modern firearms, and those whose lives have been deemed as having less value, and whom the government has decided do not deserve the right to protect themselves with the same firearms." Olympic Arms > NY
"I saw a movie once where only the police and military had guns; it was called Schindler's List"
Lithium381 is offline   Reply With Quote
Old 02-13-2013, 07:25 AM   #6
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,787
Default

Quote:
Originally Posted by Lithium381 View Post
You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..




you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .
I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....

Last edited by imagoon; 02-13-2013 at 07:32 AM.
imagoon is offline   Reply With Quote
Old 02-13-2013, 09:01 AM   #7
mparr1708
Senior Member
 
Join Date: Jan 2005
Posts: 258
Default

Quote:
Originally Posted by imagoon View Post
ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.
Which is why I said most everything else. IE use CDP to identify the rest. What you have left over narrows your pool of possible devices. Use NMAP to figure out which are Cisco devices. Try to hit a web based interface and see if you get lucky.
mparr1708 is offline   Reply With Quote
Old 02-13-2013, 09:48 AM   #8
Lithium381
Lifer
 
Lithium381's Avatar
 
Join Date: May 2001
Location: Bay Area, CA
Posts: 12,466
Default

Quote:
Originally Posted by imagoon View Post
I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....
depending on the size of the environment, they may have a management network completely out of band from the firewall's data traffic network
__________________
"This action has caused a division of the people into classes: Those the government deems valuable enough to protect with modern firearms, and those whose lives have been deemed as having less value, and whom the government has decided do not deserve the right to protect themselves with the same firearms." Olympic Arms > NY
"I saw a movie once where only the police and military had guns; it was called Schindler's List"
Lithium381 is offline   Reply With Quote
Old 02-13-2013, 10:09 AM   #9
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,787
Default

Quote:
Originally Posted by Lithium381 View Post
depending on the size of the environment, they may have a management network completely out of band from the firewall's data traffic network
True but you would hope they would have a network map at that point!
imagoon is offline   Reply With Quote
Old 02-13-2013, 02:21 PM   #10
azev
Golden Member
 
Join Date: Jan 2001
Posts: 1,003
Default

Thanks for the input guys, so far what I've been doing is exactly what you've guys posted. Find what the MAC address and then search for it in the switch where I think it is plugged into. I wished there are a better way and quicker way to do this, but looks like there isnt any.
azev is offline   Reply With Quote
Old 02-13-2013, 10:01 PM   #11
fyb3r
Member
 
fyb3r's Avatar
 
Join Date: Feb 2013
Location: TX
Posts: 32
Default

Use the Belarc free scan at www.belarc.com

see if that will get you what you need.
fyb3r is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:10 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.