Solved: tracing a route passing through ASA

mahesh18 · ‎12-10-2012

Hi Everyone,

Need help on tracing a route IP 192.168.27.0 that is passing through ASA

i did sh route on ASA

S 192.168.27.0 255.255.255.0 [1/0] via 192.168.101.14, Xnet

so this means that this ASA is learning this route statically through int Xnet right ?

when i do sh int on ASA it shows Xnet as interface.

what should be my next step?

also i am able to ping this IP from ASA but whne i do sh arp it does not show this IP 192.168.27.251 and mac address

Thanks

Mahesh

Message was edited by: mahesh parmar

Jouni Forss · ‎12-10-2012

Hi,

The ASA has a Static Route for network 192.168.27.0/24 (route Xnet 192.168.27.0 255.255.255.0 192.168.101.14)

The network is found through the interface which IP address belongs to the same network as 192.168.101.14

You wont see anything with "show arp" command as its not a directly connected network for the ASA but a network thats found after atleast one router hop.

You need to check there the Xnet interface is connected to trace where the destination network actually resides.

- Jouni

View solution in original post

Jouni Forss · ‎12-10-2012

Hi,

I mean that your firewall is configured with a static route to tell that the network 192.168.27.0/24 is found through Xnet interface and the next hop IP address (gateway) is 192.168.101.14

You should see that IP address with "show arp" command. You could actually check IP address 192.168.101.14 ARP and copy the MAC address to some Internet site (coffer.com for example) to determine what the brand of the next hop network device is (what manufacturer device it is)

You could try the "traceroute" command on the ASA firewall itself to trace the route towards the network/host you are looking for.

Other than that you should really have some network documentation of where the interfaces lead, have management to the devices in between the ASA and the destination host or check where the physical firewall connection leads at the location where the actual firewall device is located..

I'm not sure if we are talking about the normal physical interface or a subinterface on the ASA.

- Jouni

View solution in original post

Jouni Forss · ‎12-10-2012

Hi,

The MAC address seem to belong to a Cisco device also

Well if you can copy from your firewall the output of "show run interface" command then we can see the configurations of the Xnet interface. Just look for the interface which has "nameif Xnet"

- Jouni

View solution in original post

Jouni Forss · ‎12-10-2012

Hi,

Do you have an ASA in multiple context mode?

Seems to me that some physical or subinterface has been given name in the configuration so that the actual interface type doesnt show (like GigabitEthernet or something)

I can remember atleast on FWSM side that under the Context configurations (in System Context when you configure the interfaces into a specific context) when you use the command "allocate-interface" you can give the actual interface some name by which is shows in the context.

- Jouni

View solution in original post

Jouni Forss · ‎12-11-2012

Hi Mahesh,

Go to the System Context of the ASA
- System Context is the place where you create Security Contexts and attach interfaces to them
- If you are in some Context, you can issue the command "changeto system" to get to the System Context
Now when you are in System Context, issue the command "show run context"
- It should list all the Security Contexts on your ASA. Find the context that includes the "Xnet" interface
- Also you can copy/paste the output here if you want

- Jouni

View solution in original post

Jouni Forss · ‎12-11-2012

So I presume you have ASA5550 or you have bought addiotional 4 GigabitEthernet module.

When you look at the ASA from the side where the physical ports are

The usual ports (without the module) should be in the Right side
The modules ports should be on the Left side
- The module should contain 8 ports
- 4 Ports are for SFP slots (usually for fiber connections)
- 4 Ports are for basic Ethernet connectivity
- The configuration should have some line "media-type" which defines which type is used "rj45" of "sfp"
  - rj45 for Ethernet
  - sfp for SFP module
So GigabitEthernet 1/2 port should be to my understanding either the Third Ethernet or Third SFP port of the module depending on the above port configuration mentioned (media-type rj45/sfp)
The ports GigabitEthernet0/0 - x are the ports that are in every ASA, Ports GigabitEthernet1/0 - x are the expansion modules ports

Hope this helps. Hopefully I remembered that right.

- Jouni

View solution in original post

Jouni Forss · ‎12-10-2012

Hi,

The ASA has a Static Route for network 192.168.27.0/24 (route Xnet 192.168.27.0 255.255.255.0 192.168.101.14)

The network is found through the interface which IP address belongs to the same network as 192.168.101.14

You wont see anything with "show arp" command as its not a directly connected network for the ASA but a network thats found after atleast one router hop.

You need to check there the Xnet interface is connected to trace where the destination network actually resides.

- Jouni

mahesh18 · ‎12-10-2012

Hi Jouni,

Thanks for reply.

So you mean that destination IP 192.168.27.0 is learned through 192.168.101.14 by interface xnet.

I checked on ASA xnet interface which is

Interface XNet", is up, line protocol is up

MAC address 00a0.c909.0101, MTU 1500

IP address 192.168.101.1, subnet mask 255.255.255.240.

so it means that Xnet interface and next hop interface 192.168.101.14 belong to same network right?

Second how can i trace where xnet interface connects to?

regards

mahesh

Jouni Forss · ‎12-10-2012

Hi,

I mean that your firewall is configured with a static route to tell that the network 192.168.27.0/24 is found through Xnet interface and the next hop IP address (gateway) is 192.168.101.14

You should see that IP address with "show arp" command. You could actually check IP address 192.168.101.14 ARP and copy the MAC address to some Internet site (coffer.com for example) to determine what the brand of the next hop network device is (what manufacturer device it is)

You could try the "traceroute" command on the ASA firewall itself to trace the route towards the network/host you are looking for.

Other than that you should really have some network documentation of where the interfaces lead, have management to the devices in between the ASA and the destination host or check where the physical firewall connection leads at the location where the actual firewall device is located..

I'm not sure if we are talking about the normal physical interface or a subinterface on the ASA.

- Jouni

mahesh18 · ‎12-10-2012

Hi Jouni,

sh arp shows

XNet 192.168.101.14 001b.90e7.3e44 1484

so here we see the gateway address by arp as it is learned by interface Xnet right?

Second thing how can i check if this is normal interface or sub interface on ASA ?

when i do sh ip address

it shows

XNet XNet 192.168.101.1 255.255.255.240 CONFIG

so does this confirm it it is normal interface?

Thanks

Mahesh

Jouni Forss · ‎12-10-2012

Hi,

The MAC address seem to belong to a Cisco device also

Well if you can copy from your firewall the output of "show run interface" command then we can see the configurations of the Xnet interface. Just look for the interface which has "nameif Xnet"

- Jouni

mahesh18 · ‎12-10-2012

Hi Jouni,

interface XNet

nameif NNet security-level 80

ip address 192.168.101.1 255.255.255.240 standby 192.168.101.11

here is info.

I could not find which physical inetrface it is connected like gi0/1 etc?

thanks

mahesh

Jouni Forss · ‎12-10-2012

Hi,

Do you have an ASA in multiple context mode?

Seems to me that some physical or subinterface has been given name in the configuration so that the actual interface type doesnt show (like GigabitEthernet or something)

I can remember atleast on FWSM side that under the Context configurations (in System Context when you configure the interfaces into a specific context) when you use the command "allocate-interface" you can give the actual interface some name by which is shows in the context.

- Jouni

mahesh18 · ‎12-10-2012

Hi Jouni,

Yes its in multi context mode.

Thanks

MAhesh

mahesh18 · ‎12-11-2012

Hi Jouni,

so is there any way i can find what gig port Xnet belongs to ?

Thanks

Mahesh

Jouni Forss · ‎12-11-2012

Hi Mahesh,

Go to the System Context of the ASA
- System Context is the place where you create Security Contexts and attach interfaces to them
- If you are in some Context, you can issue the command "changeto system" to get to the System Context
Now when you are in System Context, issue the command "show run context"
- It should list all the Security Contexts on your ASA. Find the context that includes the "Xnet" interface
- Also you can copy/paste the output here if you want

- Jouni

mahesh18 · ‎12-11-2012

Hi Jouni,

Many thanks for all your replies.

I found the physical interface following the steps in your last post.

Regards

Mahesh

mahesh18 · ‎12-11-2012

Hi Junio,

One last thing on bacl of ASA i see

from Light hand side to Right hand side

LHS has Cisco 4GE SSM with ports from 0 to 3 and Right side has ports from 0 to 3.

so how will i determine which is port gi1/2?

Thanks

MAhesh

Jouni Forss · ‎12-11-2012

So I presume you have ASA5550 or you have bought addiotional 4 GigabitEthernet module.

When you look at the ASA from the side where the physical ports are

The usual ports (without the module) should be in the Right side
The modules ports should be on the Left side
- The module should contain 8 ports
- 4 Ports are for SFP slots (usually for fiber connections)
- 4 Ports are for basic Ethernet connectivity
- The configuration should have some line "media-type" which defines which type is used "rj45" of "sfp"
  - rj45 for Ethernet
  - sfp for SFP module
So GigabitEthernet 1/2 port should be to my understanding either the Third Ethernet or Third SFP port of the module depending on the above port configuration mentioned (media-type rj45/sfp)
The ports GigabitEthernet0/0 - x are the ports that are in every ASA, Ports GigabitEthernet1/0 - x are the expansion modules ports

Hope this helps. Hopefully I remembered that right.

- Jouni

mahesh18 · ‎12-11-2012

Hi Jouni,

You were again spot on.

It was 3rd port from expansion slot and middle one was 4 ports SFP.

Best Regards

Mahesh