Multiple VLAN/Network setup with Sonos and Cisco ASA

  • 13 October 2021
  • 3 replies
  • 761 views

Howdy Sonos Community!  

I spent a lot of time researching the topic of placing Sonos devices in a separate IOT network/vlan and still being able to control them from the “secure” vlan/network and was not coming up with a definitive method for doing it.  The general advice was “No”.  And while I agree with the advice, the boss does not always agree.  This setup provides more isolation than nothing.  The method would likely work for other SSDP devices or could be adopted to mDNS as well.  Your mileage may vary.

- solder2000

 

Disclaimer:

I make no assertions to the overall security of this configuration.  Required traffic is defined and limited as much as possible.  But ultimately you’re punching large holes in the firewall.  Please read and understand what you're doing to your network.  The setup this was copied from is more involved, but the relevant configuration pieces are below.

Assumptions:

  • Sonos devices are using reserved ip addresses from the dhcp server.
  • Insecure and secure networks are different networks/vlans connected to and routed to the internet by the same ASA
  • Secure hosts have unrestricted access to talk to insecure hosts
  • Insecure hosts have no access to secure hosts

Known Limitations:

  • All hosts on the insecure network will see any SSDP multicast traffic from the secure network
  • The Sonos devices need to reply to the multicast traffic, which requires opening all the ephemeral ports.  Else the reply is blocked.
  • If one of the Sonos device's IP is hijacked, the hijacker will be allowed to send packets to the Sonos control ports and any ephemeral ports of devices on the secure network.

The Configuration:

Enable multicast routing

multicast-routing

For reference, interfaces with disabled pim on the wan and other interfaces not participating

interface GigabitEthernet1/1
nameif wan
security-level 0
no pim

# sonos are here
interface GigabitEthernet1/2
nameif insecure_lan
security-level 33

# rest of net here
interface GigabitEthernet1/8
nameif secure_lan
security-level 100

Various objects used by the acls and nat

# network objects
object network net_secure
subnet 192.168.2.0 255.255.255.0
object network net_insecure
subnet 192.168.20.0 255.255.255.0

# SSDP related objects
object service SSDP
service udp destination range 1900 1901
description Simple Service Discovery Protocol
object service bidir-ephemeral
service udp source range 32768 65535 destination range 32768 65535
description bidir ephemeral port range
object network obj_ssdp
host 239.255.255.250
object network net_multicast
range 224.0.0.0 239.255.255.255

# sonos service objects
object service sonos-3400-tcp
service tcp destination range 3400 3401
description Sonos App Control TCP/3400-3401
object-group service sonos-control
service-object object sonos-3400-tcp
service-object object bidir-ephemeral

# sonos network objects
object network obj_sonos_arc
host 192.168.20.131
description Sonos Arc
object network obj_sonos_move
host 192.168.20.199
description Sonos Move
object-group network sonos
network-object object obj_sonos_arc
network-object object obj_sonos_move

ACLs (order matters)

# interface group definitions
access-group insecure_lan_access_in in interface insecure_lan
access-group secure_lan_access_in in interface secure_lan


# allow Sonos devices to communicate back to secure networks
access-list insecure_lan_access_in extended permit object-group sonos-control object-group sonos object net_secure

# block the rest of the traffic from insecure to secure
access-list insecure_lan_access_in extended deny ip any object net_secure

# block insecure multicast traffic
access-list insecure_lan_access_in extended deny ip any object net_multicast


# allow ssdp traffic in from the secure net
access-list secure_lan_access_in extended permit object SSDP any object obj_ssdp

# block the rest of the multicast nets
access-list secure_lan_access_in extended deny ip any object net_multicast

Multicast route

# route the multicast outbound from secure to insecure
mroute 192.168.2.0 255.255.255.0 secure_lan dense insecure_lan

NATs

# dynamic nat Sonos devices sending ssdp replies and http notify's to secure net
nat (insecure_lan,secure_lan) source dynamic Sonos interface destination static net_secure net_secure

# dynamic nat all secure traffic headed to the insecure net
nat (secure_lan,insecure_lan) source dynamic any interface

 


This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

3 replies

I won’t pretend to fully understand some of things in your post, but would it perhaps be much easier to have a dedicated ‘throwaway’ controller device setup in the insecure area and to leave the secure network area entirely separate and secure?

Of course.  There are plenty of alterative ways to setup controllers.  The specific client I set this up for has a fairly hot take on network security, yet set in his lazy ways.  Just wanted to publish my findings so the next person who needs it can do it without going insane or completely destroying their network security.

SECURITY UPDATE!

Unable to leave well enough alone, I “solved” the large number of open ephemeral ports.  Created a NAT blackhole to dump any unnecessary traffic from the Sonos to secure networks.  If all goes according to plan, only ports 3400 and 3401 are exposed on the secure network.

Enjoy,

Solder200

 

Pick an unused IP on the secure network that won't ever need to talk to a Sonos device

object network obj_secure_blackhole
host 192.168.2.7

Add an acl to block all Sonos traffic to the blackhole ip from the insecure network.  This needs to be at the top of the rules.

access-list insecure_lan_access_in line 1 extended deny ip object-group Sonos object obj_secure_blackhole

Update the NAT rules

# remove original rule
no nat (insecure_lan,secure_lan) source dynamic Sonos interface destination static net_secure net_secure

# limit the NAT to just the notify control port
nat 1 (insecure_lan,secure_lan) source dynamic Sonos interface destination static net_secure net_secure service sonos-3400-tcp sonos-3400-tcp

# for the last NAT, send all other traffic to the blackhole object to be denied
nat (insecure_lan,secure_lan) source static Sonos Sonos destination static net_secure obj_secure_blackhole unidirectional no-proxy-arp description Blackhole