(TIL) Today I Learned...

[config t]

Really? Is that a hard rule or can you create a policy to allow ICMP from specific hosts/networks.

[Otanx]

It is a hard rule. You can't access an ASA interface on the far side of where the packet came in. The only exception is for packets that come in on an IPSec tunnel terminated on the ASA. This also isn't just ICMP. Telnet, SSH, SNMP, etc. We have the same issue. Our health monitoring server is on a different interface than the backup server, and those are both different than our management clients. So DNS for our ASA resolves to the client interface, and we have host files on the servers that override and supply the IP of the closest interface. It is kind of stupid.

-Otanx

[config t]

Wow. I can only imagine how much time I would have wasted trying to figure that out if I ran into it in the field.

[icecream-guy]

Wow. I can only imagine how much time I would have wasted trying to figure that out if I ran into it in the field.

hours, only 2-3 in my case

[wintermute000]

LOL at a FW that can't act as a DNS proxy
anyway... here's a tricky, terrible hack-around for this: https://herdingpackets.net/2014/02/20/faking-an-asa-as-a-dns-forwarder/

[config t]

Wow. I can only imagine how much time I would have wasted trying to figure that out if I ran into it in the field.

hours, only 2-3 in my case

And that was this time? 

[deanwebb]

TIL:

When considering a SPAN session, "Overruns" happen when there are too many packets to deal with. "Dropped" packets are IPv6 frames when the interface is not set up for IPv6, unintended VLAN tags, and similar ignored packets.

And because that came from another person who learned it today, LEARNCEPTION!!!!

[icecream-guy]

TIL:

When considering a SPAN session, "Overruns" happen when there are too many packets to deal with. "Dropped" packets are IPv6 frames when the interface is not set up for IPv6, unintended VLAN tags, and similar ignored packets.

And because that came from another person who learned it today, LEARNCEPTION!!!!

Like with our favorite Cisco ASA product,  where the interfaces listen to everything, and anything not destined for the firewall is considered "dropped"  e.g.  broadcasts etc.

[wintermute000]

Be careful, on some switch architectures dropping on the SPAN port = dropping on the actual port, exactly like blocking water coming out of an outlet

[config t]

TIL.. (or re-learned, not sure) TACLANEs won't form a security association (SA) until traffic is being generated on the Plain Text side by networks other than the Cipher and Plain text networks. Why? Because TACLANEs. It took eight of us 3 days of scratching our heads at perfectly configured hardware to figure that out. Apes Strong Together!

[deanwebb]

TIL.. (or re-learned, not sure) TACLANEs won't form a security association (SA) until traffic is being generated on the Plain Text side by networks other than the Cipher and Plain text networks. Why? Because TACLANEs. It took eight of us 3 days of scratching our heads at perfectly configured hardware to figure that out. Apes Strong Together!

TACLANEs!

[Otanx]

The thing with TACLANEs you need to remember is they are just IPSec tunnel devices that use very special keys. You are correct they will not build an SA without interesting traffic. Also the PT interface needs to be up/up.

-Otanx

[config t]

Well said. I actually paraphrased that in my issue/resolution recap.

Another thing to remember about TACLANEs is there is a ton of stuff we need to remember about TACLANEs 

[Otanx]

Yep, a good COMSEC guy is worth their weight in gold. It is a very specific skill set that is only used in government so many people don't want to deal with it. I was so happy when my last day of COMSEC came, and I got to debrief.

-Otanx

[icecream-guy]

TIL 

Not following SOP is considered non-compliance
non-compliance is considered insubordination
insubordination is cause for dismissal.



(I didn't learn the hard way)