ASA 5505

Unanswered Question
Jun 29th, 2010

I am using ASA5505s in my small offices and an ASA5520 at my central sites.  I have configured EZVPN network extension and everything is working perfectly.  I now want to add another layer of security to this configuration.  My understanding is the 5505 does not support 802.1x so that appears to be out.  I don't want to add another layer of authentication to my users so individual authentication is out.  One of my main concerns is a configured 5505 goes missing and before it is reported and disabled it would have full access to my inside network.  I am thinking of trying to restrict the outside interface to only talk to the DSL router using a static ARP but it doesn't appear to work.  Can this be done or can you suggest another method of locking down my configuration?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Glenn Hanratty Tue, 06/29/2010 - 12:45

Phil;

If I understand your question--it sounds like you're wondering how to prevent a stolen and configured 5505 from accessing your inside networks at the central offices?

If that's the case, I recommend doing one or all of the following:

--only allow certain networks in from the outside interface and set the box to do TCP resets on failed connection attempts

--secure the console login with a non-standard user and strong password

- try to keep the 5505s at the remote offices as secure physically as possible--i.e.behind a locked door, etc.

-disable management access from the outside interface

Hope this helps.

Phil Sova Wed, 06/30/2010 - 08:01

Yes that is my concern.  If I allow the ISP to hand out the address of the outside interface then I can't apply an ACL.  I have locked down the managment of the 5505 and we physically keep them in a locked room.  However, if one did go missing anyone could plug it into any Internet connection and have access to my internal network.  If I could apply 802.1x (even MAC filter) that would solve it but it doesn't appear the 5505 supports it.  I can't think of or find a solution that is a perfect fit for what I need.  The only thing I can think of is to ask my ISPs for static addresses for the outside interface and lock down the 5505 so it can't be moved.

John Blakley Tue, 06/29/2010 - 12:45

You could lock the physical device down with passwords and such. In case someone stole the device, they would need to be able to console into it to be able to configure anything. If the outside interface is statically configured, you can create an ACL on the outside interface that only allows those addresses into your main ASA using IPSEC. The physical addresses won't work anywhere else if someone were to take the device offsite and reconfigure it. Then you'd know that you're only allowing that one address into your network.

HTH,

John

Actions

This Discussion