Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is it recommend to have a vulnerability scan for Cisco ASA device.

 

Dear everyone. 

 

I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report. 

Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Do I understand are you

Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?

If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.

If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

5 REPLIES
Hall of Fame Super Silver

Vulnerability scan of an ASA

Vulnerability scan of an ASA is fine. I have seem them turn up issues. You can find things like ssh v1 being allowed, weak ciphers allowed for https, etc.

If you find nothing (according to the scan criteria being used) then you can count that as a small victory and move your attention to the areas that didn't do as well.

New Member

Hi Marvin, Thanks for your

Hi Marvin, 

Thanks for your explanation. I have try to let my ASA to have vulnerability scan. But I found the ASA was drop the connection by itself. 

I just figure out how do I let my ASA for internal vulnerability scan. Do you have any idea how to do it?

Currently I am using ASA 9.1 version. 

 

Hall of Fame Super Silver

Do I understand are you

Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?

If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.

If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

New Member

Thanks Marvin. I guess my

Thanks Marvin. 

I guess my company insist to have a vulnerability to scan the ASA version and some ssh and telnet credential access. 

Just wonder if it can scan the management port of ASA and gain those report like version, credential, snmp and so on. 

Hall of Fame Super Silver

If they want to scan the ASA

If they want to scan the ASA itself, then they may observe, for instance, whether you  allow only strong SSL ciphers for any https service (i.e. for remote access VPN portal).

SNMP, even when allowed is restricted to authorized hosts so their scanning address would have to be allowed explicitly. Likewise with ssh. You can and should lock down both of those services - i.e. require SNMP v3 with only encrypted ("Priv") communications and AES-256, restrict ssh to v2 and use a strong (2048-bit) RSA key.

Hope this helps.

552
Views
0
Helpful
5
Replies