Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

How to best audit Cisco ASA

I want to audit the 40 Cisco ASA (8.4), with best practices, but I don’t have any tools

•1)       Is there any good free or low cost tools available that I can use to ease the audit

•2)       What are the useful commands/ best practices to audit the asa, e.g.

show failover

show failover state

show monitor-interface

show failover interface

sh run user

sh ip add

etc….

•3)       I have notices that most of the ASA ACL allow ports ip or tcp, I want to use specific port like 22,23,69,154 etc. How I can achieve this.

•4)       Is there any best practices document that I can compare against our ASAs.

Thanks

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

How to best audit Cisco ASA

Hello,

1) First thing is to keep up to date with the Cisco vulnerabilities announcements to check whether your box is not compliant, etc.

Use Scanning tools like NMAP,ZEN-MAP, Veracode, etc.

Use Dictionary attacks to determie whether you can hack into the Device.

Etc,etc.

2) To audit the ASA well

  • Check the ACLs (make sure they are as specific as possible) Show run access-list
  • Make sure a failover cluster is in place (show failover)
  • Make sure traffic not desired is denied (packet-tracer tool)
  • Make sure you are sending logs to a syslog server for further audit stuff.( show run logging)
  • Check the Authentication ,Authorization and Accounting variables (show run aaa)
  • Etc

3) Change the ACLs to satisfy your needs. Being more specific is always more secure.

access-list outside_inside permit tcp any host 4.2.2.2

to

access-list outside_inside permit tcp any host 4.2.2.2 eq 80 (In the case of a HTTP server)

4) Always check release-notes and Cisco vulnerabilities announcements

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3 REPLIES

How to best audit Cisco ASA

Hello,

1) First thing is to keep up to date with the Cisco vulnerabilities announcements to check whether your box is not compliant, etc.

Use Scanning tools like NMAP,ZEN-MAP, Veracode, etc.

Use Dictionary attacks to determie whether you can hack into the Device.

Etc,etc.

2) To audit the ASA well

  • Check the ACLs (make sure they are as specific as possible) Show run access-list
  • Make sure a failover cluster is in place (show failover)
  • Make sure traffic not desired is denied (packet-tracer tool)
  • Make sure you are sending logs to a syslog server for further audit stuff.( show run logging)
  • Check the Authentication ,Authorization and Accounting variables (show run aaa)
  • Etc

3) Change the ACLs to satisfy your needs. Being more specific is always more secure.

access-list outside_inside permit tcp any host 4.2.2.2

to

access-list outside_inside permit tcp any host 4.2.2.2 eq 80 (In the case of a HTTP server)

4) Always check release-notes and Cisco vulnerabilities announcements

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

How to best audit Cisco ASA

Thanks for detailed reply, it very much appreciated.

In reply to my question 3) please advise that how I FINDOUT that Source and destination are using which specific ports as currently most rules are just using services as tcp & ip.

E.g ASA has 50 different rules & each rule has multiple source & destinations how I can findout that what ports these devices are using, as I need to be 100% sure before replacing the service ports of tcp/ip with specific ports of e.g 80,23,20 etc

I have to audit about 40 asa with this problem, is there any tool/ application/ command to resolve my this problem.

This is very very important part of my audit.

Thanks

How to best audit Cisco ASA

Hello,

Hey my pleasure to help Just remember to rate all of the useful posts (let me know if you do not know how).

Now, regarding the last query well you will need to look for a security policy from the network admin (If there is one) otherwise you will need to build it from scratch.

There is no way you dinamically can determine this by using a tool. Each enviroment is different and has multiple needs.

Good luck with that.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5073
Views
0
Helpful
3
Replies
CreatePlease to create content