I am using ASA5505s in my small offices and an ASA5520 at my central sites. I have configured EZVPN network extension and everything is working perfectly. I now want to add another layer of security to this configuration. My understanding is the 5505 does not support 802.1x so that appears to be out. I don't want to add another layer of authentication to my users so individual authentication is out. One of my main concerns is a configured 5505 goes missing and before it is reported and disabled it would have full access to my inside network. I am thinking of trying to restrict the outside interface to only talk to the DSL router using a static ARP but it doesn't appear to work. Can this be done or can you suggest another method of locking down my configuration?
Yes that is my concern. If I allow the ISP to hand out the address of the outside interface then I can't apply an ACL. I have locked down the managment of the 5505 and we physically keep them in a locked room. However, if one did go missing anyone could plug it into any Internet connection and have access to my internal network. If I could apply 802.1x (even MAC filter) that would solve it but it doesn't appear the 5505 supports it. I can't think of or find a solution that is a perfect fit for what I need. The only thing I can think of is to ask my ISPs for static addresses for the outside interface and lock down the 5505 so it can't be moved.
You could lock the physical device down with passwords and such. In case someone stole the device, they would need to be able to console into it to be able to configure anything. If the outside interface is statically configured, you can create an ACL on the outside interface that only allows those addresses into your main ASA using IPSEC. The physical addresses won't work anywhere else if someone were to take the device offsite and reconfigure it. Then you'd know that you're only allowing that one address into your network.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...