ASA and my DarkNet

Ok, I think this is a dumb question but I'm going to ask anyway simply because technology can be amazing at times.

Scenario:
Public IP Space: 99.99.99.160/28
ASA Outside Interface: 172.31.1.1

Since this ASA's Outside Interface is an address that is not globally routable, is there a way I can assign this interface a secondary IP address out of my Public IP space, or do SOME sort of NAT to provide the ASA with a public IP? I want to be able to VPN in to this network but I only want to use exactly ONE IP address for this bad boy. Since I'm using this network for my little DarkNet project right now I want to keep as many Public IPs dark as possible to capture the most illegitmate traffic.

Find more posts tagged with

Comments

Ahriakin

You could NAT on your perimeter device for the ASA outside address (presuming since you have an assigned set of Pub IPs you have another internet connected device).
The only way to assign more than one IP to an ASA is to use Sub-Interfaces and multiple VLANs.
Since NAT needs to be bound to the interface IP, or one it can Proxy-Arp for you could assign a proper Pub IP to it, set your inside to 172.31.1.1 and Static Identity NAT it on the outside, this will force the ASA to Proxy-Arp and with a permissive ACL accept connections for that one IP.

Have you though about using something like Bothunter instead?

cisco_trooper

Ahriakin wrote: »

Have you though about using something like Bothunter instead?

Isn't BotHunter for devices within your network perimeter?

Ahriakin wrote: »

You could NAT on your perimeter device for the ASA outside address (presuming since you have an assigned set of Pub IPs you have another internet connected device).

Don't know why I didn't think of that. I'll give that a try and see what happens.

Thanks.

Ahriakin

But so are Darknets, unless you are looking for more of a Honeypot service. Darknets are usually deployed within your network with a Sniffer of some sort on a routed but completely unused subnet, essentially you want to build a Zone that legitimate traffic should never go to so you get the cleanest possible indicator of potentially malicious traffic (like WORMs, Scans etc.) from inside hosts. If you are capturing malicious internet sourced traffic on an internal Darknet then you've got some pretty serious perimeter defense issues (which I guess could also be your aim to detect that

)

cisco_trooper

Ahriakin wrote: »

But so are Darknets, unless you are looking for more of a Honeypot service. Darknets are usually deployed within your network with a Sniffer of some sort on a routed but completely unused subnet, essentially you want to build a Zone that legitimate traffic should never go to so you get the cleanest possible indicator of potentially malicious traffic (like WORMs, Scans etc.) from inside hosts. If you are capturing malicious internet sourced traffic on an internal Darknet then you've got some pretty serious perimeter defense issues (which I guess could also be your aim to detect that )

Ok cool. The Darknet I deployed in my testlab on Friday is actually outside my firewall, capturing rogue traffic sourced from out on the internet. So I guess it doesn't really matter where you deploy these types of things, as long as you know what your end goal is. The reason I have deployed on the outside was to see not only how much of this type of traffic I can expect to see on an IP, but also exactly WHAT are they sending. What types of things are these miscreants attempting to exploit, and even more importantly, HOW. This could obviously serve on the inside to detect issues on the internal network, as you've suggested.

I've become more interested in the workings of exploits. I'm starting to look at individual packets and try to figure out how things work. Just got done with a huge corporate domain migration, so I was looking for a change of pace for a while to keep me busy while I recover. I don't need another burn out session like I had around this time last year.