Locating Firewall in a large network

Discussion in 'Networking' started by azev, Feb 12, 2013.

  1. azev

    azev Golden Member

    Joined:
    Jan 27, 2001
    Messages:
    1,003
    Likes Received:
    0
    I am curious if anyone here knows of an easy way to identify a cisco firewall within a network without having any diagram or any information about the network.

    I use CDP to identify most of the network devices connected to a switch, router, etc, but unfortunately no cdp/lldp can be enabled on asa.

    Other than using the firewall mac address and then hunt for where that mac resides, is there a better way to do this ?
     
  2. Loading...

    Similar Threads - Locating Firewall large Forum Date
    What do you guys think of the "CUJO - Smart Internet Firewall"? Networking Aug 13, 2017
    Multi Location Ping Test Networking Jun 11, 2017
    Wifi Showing Incorrect Location w/ Used Router? Networking Jan 25, 2017
    Windows 10 Using proxy pac file located locally on the laptop? Networking Dec 30, 2016
    Decent APs? Location? Main floor or basement Networking Apr 11, 2016

  3. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    On those you have to search via MAC address. If you have Cisco works or Cisco Prime you can execute a network wide search for it also. Make sure to search inside the proper vlan also since MAC is not routeable.
     
  4. mparr1708

    mparr1708 Senior member

    Joined:
    Jan 5, 2005
    Messages:
    258
    Likes Received:
    0
    I'd probably use NMAP. With that you can at least identify it as a Cisco device. Most everything else Cisco supports CDP so you can use process of elimination to figure out which is the ASA.

    Also, once you narrow it down you can just enter the ip address into a browser using https. If the firewall admin didn't turn it off, you should see a landing page asking you to download ASDM. If you see that you are hitting an ASA.
     
  5. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    ASA's don't.

    I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

    Tracert to the internet and see where the packets go from a private to public IP and there you are.
     
  6. Lithium381

    Lithium381 Lifer

    Joined:
    May 12, 2001
    Messages:
    12,465
    Likes Received:
    2
    You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
    imagoon - cisco asa's aren't always used simply as an edge NAT device.

    you're also assuming it's not silently dropping your packets and it's transparent..




    you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .
     
  7. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    I also assume that IT would know the management IP address.

    No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

    Granted the OP has an entirely undocumented network so.....
     
    #6 imagoon, Feb 13, 2013
    Last edited: Feb 13, 2013
  8. mparr1708

    mparr1708 Senior member

    Joined:
    Jan 5, 2005
    Messages:
    258
    Likes Received:
    0
    Which is why I said most everything else. IE use CDP to identify the rest. What you have left over narrows your pool of possible devices. Use NMAP to figure out which are Cisco devices. Try to hit a web based interface and see if you get lucky.
     
  9. Lithium381

    Lithium381 Lifer

    Joined:
    May 12, 2001
    Messages:
    12,465
    Likes Received:
    2
    depending on the size of the environment, they may have a management network completely out of band from the firewall's data traffic network
     
  10. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    True but you would hope they would have a network map at that point! :D
     
  11. azev

    azev Golden Member

    Joined:
    Jan 27, 2001
    Messages:
    1,003
    Likes Received:
    0
    Thanks for the input guys, so far what I've been doing is exactly what you've guys posted. Find what the MAC address and then search for it in the switch where I think it is plugged into. I wished there are a better way and quicker way to do this, but looks like there isnt any.
     
  12. fyb3r

    fyb3r Member

    Joined:
    Feb 12, 2013
    Messages:
    32
    Likes Received:
    0
    Use the Belarc free scan at www.belarc.com

    see if that will get you what you need.