[c-nsp] configuring RFC1948 on the ASA 5505

Jerry Kemp cisco.mail.list at oryx.cc
Thu Jun 5 22:12:23 EDT 2008 

Hello Fred & Peter,

and thank you for your reply.

I am running this os - asa721-k8.bin

I am not running BGP, or any routing protocol on this ASA.

I haven't done anything in the NAT configuration, or else where to 
disable random sequence numbers, but there is nothing in the conf to 
enable them either.

Jerry K




On 06/05/08 09:26, Fred Reimer wrote:
> It could be that he has random sequence number generation turned off,
> possibly because it causes issues with eBGP MD5's.  This can be done in
> a NAT statement with the norandomseq keyword, or for all TCP traffic
> with the set connection random-sequence-number disable command on a
> class in a policy map.
> 
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
> Sent: Thursday, June 05, 2008 6:16 AM
> To: Jerry Kemp
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] configuring RFC1948 on the ASA 5505
> 
> Hi Jerry,
> 
> I have a 5550 providing "truly random" sequence numbers according to
> NMap:
> 
> :: [root at einstein ~]# nmap -v -sT -O -p 22,23,443 10.x.y.z
> :: 
> :: Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-06-05 
> :: 12:11 CEST
> :: DNS resolution of 1 IPs took 0.00s.
> :: Initiating Connect() Scan against 10.x.y.z [3 ports] at 12:11
> :: Discovered open port 443/tcp on 10.x.y.z
> :: Discovered open port 23/tcp on 10.x.y.z
> :: Discovered open port 22/tcp on 10.x.y.z
> :: The Connect() Scan took 0.00s to scan 3 total ports.
> :: Warning:  OS detection will be MUCH less reliable because we did 
> :: not find at least 1 open and 1 closed TCP port
> :: For OSScan assuming port 22 is open, 43522 is closed, and neither 
> :: are firewalled
> :: For OSScan assuming port 22 is open, 36850 is closed, and neither 
> :: are firewalled
> :: For OSScan assuming port 22 is open, 30796 is closed, and neither 
> :: are firewalled
> :: Host 10.x.y.z appears to be up ... good.
> :: Interesting ports on 10.x.y.z:
> :: PORT    STATE SERVICE
> :: 22/tcp  open  ssh
> :: 23/tcp  open  telnet
> :: 443/tcp open  https
> :: Device type: router|printer|load balancer
> :: Running (JUST GUESSING) : Cisco IOS 12.X (91%), Canon embedded 
> :: (85%), Cisco embedded (85%)
> :: Aggressive OS guesses: Cisco 2611 router running IOS 12.0(7)T 
> :: (91%), Canon iR 2200 printer (85%), Cisco CSS 11501 Content 
> :: Services Switch (85%)
> :: No exact OS matches for host (test conditions non-ideal).
> :: TCP Sequence Prediction: Class=truly random
> ::                          Difficulty=9999999 (Good luck!)
> :: IPID Sequence Generation: Randomized
> :: 
> :: Nmap finished: 1 IP address (1 host up) scanned in 9.588 seconds
> ::                Raw packets sent: 50 (4556B) | Rcvd: 37 (1912B)
> :: [root at einstein ~]# 
> 
> There could be a difference between the 5505 and the 5550, but hopefully
> not for something like the devices own TCP stack. What version of ASA
> software are you using? The above is tested on 7.2(2) and 7.2(4).
> 
> Regards,
> Peter
> 
> 
> On Wed, 2008-06-04 at 23:44 -0500, Jerry Kemp wrote:
>> Is it possible to configure to configure RFC 1948 sequence number 
>> generation on a Cisco ASA 5505 firewall?  A recent nmap port scan
> shows 
>> TCP sequence prediction to be "Difficulty=0 (Trivial joke)".
>>
>> I did RTFM both Cisco and did several Yahoo searches, and did not turn
> 
>> up anything of value.
>>
>> Below is an (abbreviated) nmap scan sample of an internal port on my
> ASA.
>> In case my question is not obvious, I have also included (very bottom)
> 
>> the RFC 1948 configuration from a standard Unix (Solaris) set up.
>>
>> TIA for any replies,
>>
>> Jerry K
>>
>> --------------------------------------------------------------------
>> # nmap -v -sT -O 1.1.1.1
>> Starting Nmap 4.20 ( http://insecure.org ) at 2008-06-04 23:27 CDT
>> Initiating ARP Ping Scan at 23:27
>> Scanning 1.1.1.1 [1 port]
>> Completed ARP Ping Scan at 23:27, 0.20s elapsed (1 total hosts)
>> Initiating Connect() Scan at 23:27
>> Scanning 1.1.1.1 (1.1.1.1) [1697 ports]
>> Completed Connect() Scan at 23:27, 30.77s elapsed (1697 total ports)
>> Host 1.1.1.1 (1.1.1.1) appears to be up ... good.
>> Interesting ports on 1.1.1.1 (1.1.1.1):
>> Not shown: 1694 filtered ports
>> PORT    STATE SERVICE
>> 22/tcp  open  ssh
>> 23/tcp  open  telnet
>> 443/tcp open  https
>> MAC Address: 00:19:7:24:AD:67 (Cisco Systems)
>> Network Distance: 1 hop
>> TCP Sequence Prediction: Difficulty=0 (Trivial joke)
>>

More information about the cisco-nsp mailing list