Cisco<\/p>\n\n\n\n
Once again I headed to the AWS Marketplace to furnish myself with the appropriate vendor’s firewall and happened upon this one:<\/p>\n\n\n\n The ASA persists in using a Java client for GUI administration which I’ve always found a bit of pain to use. Why some vendors can run sophisticated GUIs in a browser but others rely on Java with its attendant annoyances of version compatibility, requirement for install (which in an enterprise environment can be a pain) and challenging security record, I don’t know.<\/p>\n\n\n\n Adding interfaces within AWS was painless with Palos and Fortis but seemed to require a reload on the ASA which took about ten minutes. I didn’t intend this to be a reivew of the various vendors offerings in AWS but we’re heading that way.<\/p>\n\n\n\n I’ve got the entry-level AWS ASA which only comes with a management interface. So I intended to add two more interfaces: an external and a DMZ one as in the previous lab. When I came to add the second I received this message:<\/p>\n\n\n\n Er… so Cisco won’t let you have two interfaces on their AWS firewall. I decided to compare the instances I was using in AWS – maybe I was using some weirdly under-specced instance of the ASA. I decided to use price as the easiest means of comparison<\/p>\n\n\n\n Ah, so the Forti run price is less than half that of the Cisco ASA. Hmmm.<\/p>\n\n\n\n OK, let’s work with what we’ve got. I remember there\u2019s a setting on the ASA to allow the management interface to pass produciton traffic so I\u2019ll remove the external interface from the ASA, just add the DMZ one and use the management interface for external traffic. <\/p>\n\n\n\n I tried to the remove the external interace (an easy operation on other vendors’ firewalls) and sat staring at this for five minutes.<\/p>\n\n\n\n OK, let\u2019s chalk off another ten minutes of our lives and reboot. Having done this for some reason I couldn\u2019t get back on to the firewall with either ssh or the GUI. <\/p>\n\n\n\n Right, well I hadn’t done too much on the instance so I terminated it and just fired up a new one and then added my DMZ interface. Yup, there it is showing on the instance.<\/p>\n\n\n\n But not on the ASA itself.<\/p>\n\n\n\n There may be something in the documentation that mentions you can\u2019t do \u2018hot\u2019 interface additions \/ removals on the ASA in AWS. Anyway, another reboot later and finally we see two interfaces, the management interface and the DMZ interface.<\/p>\n\n\n\n What were we doing? Oh yeah undedicating the management interface…<\/p>\n\n\n\n So let\u2019s untick this\u2026 well to cut a long story short you can untick this little box and the command is accepted happily but when you try and add an access list to the management interface you have the following:<\/p>\n\n\n\n If you then go back and check the management interface the box next to \u2018Dedicate this interface to management\u2019 has magically re-appeared. They saw that one coming, eh? <\/p>\n\n\n\n Maybe, I could fire up a bigger instance but I can\u2019t be bothered. I hereby disqualify the Cisco ASA from my non-std ssh test on account of it being too annoying to set up. I didn\u2019t set out to do a hatchet job and I\u2019ve spent a lot of time on ASA’s in the past and got a long with them fine so it\u2019s more in sadness than anger (well, pique) that I do this.<\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" In a series only midly less compelling than GoT we see how the Cisco ASA firewall fared in stopping ssh over non-standard ports. (Spoiler alert: this lab did not go well) SPOILER ALERT: I didn’t get this working and this post descends into a mild rant on ASAs in AWS. I did get it working […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-166","post","type-post","status-publish","format-standard","hentry","category-firewalls"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts\/166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=166"}],"version-history":[{"count":0,"href":"http:\/\/18.135.13.153\/index.php?rest_route=\/wp\/v2\/posts\/166\/revisions"}],"wp:attachment":[{"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=166"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/18.135.13.153\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-4.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-5.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-6.png\")
<\/figcaption><\/figure>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-7.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-8.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-9.png\")
<\/figcaption><\/figure>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-10.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-11.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-12.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-13.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/06\/image-14.png\")