Cisco ASA Device Management – Console Connection

A thumping sound from the Netherlands brings me back to the videoconference feed. Five time zones away, my friend Constantijn is putting the smackdown on some bugs in his apartment. He has wandered out of the shot, but his webcam transmits the sound of him swatting at las cucarachas with what turns out to be a copy of Noam Chomsky’s Hegemony or Survival. Sounds like the bugs are winning.

“How the hell are these bloody things getting in?” he asks. He lives in one of those hermetically-sealed apartment buildings where you can’t even crack open a window.

“Trash chute?” I hazard. Those things are never sealed tight.

I tell him about ants here in the Caribbean. They get in your house every summer, a thick conga line running across your wall from the point of ingress to your trashcan. Insidious. You practically have to build a moat to keep them out.

Controlling management access to a firewall, one is sometimes tempted to employ the tactics used for siege warfare. Caesar’s Commentarii de Bello Gallico is full of tales of overcoming enemy fortifications and starving out a besieged city by cutting off its supply lines. But a network’s like a functioning city. You gotta have a way for legit traffic to traverse the firewall. If it really were a siege, you wouldn’t have a firewall; you’d have an air gap.

Without a startup config, the Cisco ASA only allows management access via the console port. To connect via the console port, plug in one end of a console cable to the console port and plug in the other end to a computer running a terminal emulation program such as Putty or Secure CRT.

The default connection settings are:

Baud Rate 9600
Data Bits 8
Parity None
Stop Bits 1
Flow Control Hardware

To secure the console port, you need physical security, such a a locked cabinet, to protect the ASA. If anyone gains physical access to your ASA, they can console into the ASA and potentially obtain or change the config. (The intruder can also boot the ASA into ROMMON mode and reset the password unless you’ve run a no service password-recovery to disable this capability. Otherwise, it’s enabled by default.)

ciscoasa# conf t
ciscoasa(config)# no service password-recovery
WARNING: Executing "no service password-recovery" has disabled the
password recovery mechanism and disabled access to ROMMON.  The only
means of recovering from lost or forgotten passwords will be for ROMMON
to erase all file systems including configuration files and images.
You should make a backup of your configuration and have a mechanism to
restore images from the ROMMON command line.

In EXEC mode, these commands are available:

clear       Reset functions
enable      Turn on privileged commands
exit        Exit from the EXEC
help        Interactive help for commands
login       Log in as a particular user
logout      Exit from the EXEC
no          Negate a command or set its defaults
ping        Send echo messages
quit        Exit from the EXEC
show        Show running system information
traceroute  Trace route to destination

Mostly useful for diagnostics and information gathering. Can’t change the config unless you get into Privileged EXEC mode. So, it’s important to configure a good enable password to defeat the casual intruder. But let’s face it, if there’s unrestricted physical access to the ASA, your ASA can be compromised. An intruder can snaffle the flash card and obtain or change the config.

Oh well, nothing is completely secure. Best keep the bug spray handy.

Additional Information:

Service password-recovery command in the Cisco ASA 8.4 Command Reference.

Enable password command in the Cisco ASA 8.4 Command Reference.

gomjabbar: How To Break Into A Cisco ASA If You Do Not Have The Enable Password.

gomjabbar: Removing the Flash Memory from a Cisco ASA 5505.

This entry was posted in geek, mecha, v4vendetta and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.