Locating Firewall in a large network

azev

Golden Member
Jan 27, 2001
1,003
0
76
I am curious if anyone here knows of an easy way to identify a cisco firewall within a network without having any diagram or any information about the network.

I use CDP to identify most of the network devices connected to a switch, router, etc, but unfortunately no cdp/lldp can be enabled on asa.

Other than using the firewall mac address and then hunt for where that mac resides, is there a better way to do this ?
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
On those you have to search via MAC address. If you have Cisco works or Cisco Prime you can execute a network wide search for it also. Make sure to search inside the proper vlan also since MAC is not routeable.
 

mparr1708

Senior member
Jan 5, 2005
258
0
0
I'd probably use NMAP. With that you can at least identify it as a Cisco device. Most everything else Cisco supports CDP so you can use process of elimination to figure out which is the ASA.

Also, once you narrow it down you can just enter the ip address into a browser using https. If the firewall admin didn't turn it off, you should see a landing page asking you to download ASDM. If you see that you are hitting an ASA.
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
Most everything else Cisco supports CDP

ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.
 

Lithium381

Lifer
May 12, 2001
12,452
2
0
You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..




you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .
 

imagoon

Diamond Member
Feb 19, 2003
5,199
0
0
You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..




you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .

I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....
 
Last edited:

mparr1708

Senior member
Jan 5, 2005
258
0
0
ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.

Which is why I said most everything else. IE use CDP to identify the rest. What you have left over narrows your pool of possible devices. Use NMAP to figure out which are Cisco devices. Try to hit a web based interface and see if you get lucky.
 

Lithium381

Lifer
May 12, 2001
12,452
2
0
I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....

depending on the size of the environment, they may have a management network completely out of band from the firewall's data traffic network
 

azev

Golden Member
Jan 27, 2001
1,003
0
76
Thanks for the input guys, so far what I've been doing is exactly what you've guys posted. Find what the MAC address and then search for it in the switch where I think it is plugged into. I wished there are a better way and quicker way to do this, but looks like there isnt any.