Is there software to create diagrams, or see connections, of what servers are connecting to the DMZ ...

rweir0001 · ‎03-15-2016

I'm just curious if anyone knows of software, or a quick method, to determine what devices are connecting to our DMZ servers based on rules we have configured in the ASA? Basically, I just want to know how I can get a clear picture, possibly with diagrams, of what internal servers our DMZ servers are connecting to based on our rules. I'm trying to determine this without going through all the rules individually and someone suggested that Cisco may even have software to accomplish this task. We are currently running an ASA5510 on v9.0(4)38 with an ASDM on v7.1(3).

Rick

Marvin Rhoads · ‎03-16-2016

There's no Cisco (or other vendor) software that I know of that will do that directly.

On more recent versions of ASA software you can tell your ASA to export Netflow data to a collector of your choice and some of those provide visualization tools. Unfortunately your software is very old and does not support Netflow export. That feature was only introduced in ASA 8.1(1):

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/ef.html#wp1933977

It has been significantly enhanced in later software versions:

http://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html

Being as old as it is, it's probably got a fair number of things that no longer are valid rules. In such cases I recommend doing the hard work and sitting down and analyzing them one by one to both validate and understand them.

rweir0001 · ‎03-16-2016

Yeah...I figured as much. Thanks!

Is there software to create diagrams, or see connections, of what servers are connecting to the DMZ based on ASA rules