Locating Firewall in a large network

azev · 02-12-2013, 11:57 AM

I am curious if anyone here knows of an easy way to identify a cisco firewall within a network without having any diagram or any information about the network.

I use CDP to identify most of the network devices connected to a switch, router, etc, but unfortunately no cdp/lldp can be enabled on asa.

Other than using the firewall mac address and then hunt for where that mac resides, is there a better way to do this ?

imagoon · 02-12-2013, 12:21 PM

On those you have to search via MAC address. If you have Cisco works or Cisco Prime you can execute a network wide search for it also. Make sure to search inside the proper vlan also since MAC is not routeable.

mparr1708 · 02-12-2013, 03:34 PM

I'd probably use NMAP. With that you can at least identify it as a Cisco device. Most everything else Cisco supports CDP so you can use process of elimination to figure out which is the ASA.

Also, once you narrow it down you can just enter the ip address into a browser using https. If the firewall admin didn't turn it off, you should see a landing page asking you to download ASDM. If you see that you are hitting an ASA.

imagoon · 02-12-2013, 04:45 PM

Quote:

Originally Posted by mparr1708

Most everything else Cisco supports CDP

ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.

Lithium381 · 02-12-2013, 11:24 PM

You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..

you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .

imagoon · 02-13-2013, 07:25 AM

Quote:

Originally Posted by Lithium381

You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..

you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .

I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....

mparr1708 · 02-13-2013, 09:01 AM

Quote:

Originally Posted by imagoon

ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.

Which is why I said most everything else. IE use CDP to identify the rest. What you have left over narrows your pool of possible devices. Use NMAP to figure out which are Cisco devices. Try to hit a web based interface and see if you get lucky.

Lithium381 · 02-13-2013, 09:48 AM

Quote:

Originally Posted by imagoon

I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....

depending on the size of the environment, they may have a management network completely out of band from the firewall's data traffic network

imagoon · 02-13-2013, 10:09 AM

Quote:

Originally Posted by Lithium381

depending on the size of the environment, they may have a management network completely out of band from the firewall's data traffic network

True but you would hope they would have a network map at that point!

azev · 02-13-2013, 02:21 PM

Thanks for the input guys, so far what I've been doing is exactly what you've guys posted. Find what the MAC address and then search for it in the switch where I think it is plugged into. I wished there are a better way and quicker way to do this, but looks like there isnt any.

fyb3r · 02-13-2013, 10:01 PM

Use the Belarc free scan at www.belarc.com

see if that will get you what you need.