Solved: Tracing a Route passing through firewall

mahesh18 · ‎04-30-2013

Hi Everyone,

I am tracing a route which is passing via fw.

Did sh route on fw

S 172.26.36.0 255.255.255.0 [1/0] via 172.26.253.30, XY

looking to trace 172.26.36.0.

i check the interface XY on ASA it is subinterface with IP 172.26.253.16.

So it means ASA is learning destination route of 172.26.36.0 via interface XY which is on ASA and next HOP IP IS 172.26.253.30?

Also if XY is sub int gi0/2.12 does it mean that next hop device is connected to ASA physical interface gi0/2?

Thanks

Mahesh

Jouni Forss · ‎04-30-2013

Hi Mahesh,

The ASA isnt actually learning this route from anywhere other than its configuration. I mean if we use the term "learn" it would imply that we were using some dynamic routing protocol.

Notice that the route has "S" at the beginning of the output. This means its a static route. This again means its a route statictly configured by the admin on the ASA.

You can use the command "show run route" and the route for the network should be listed there.

All in all the route output above says the following

Its a Static route
Its a static route for the network 172.26.36.0/24
The next hop towards this network is the IP address 172.26.253.30
The route is using the interface named "XY"

Also about the interface. Yes, the interface Gi0/2.12 means that we are using the interface Gi0/2 as a Trunk interface towards the next device. So the next device is connected to the ASA by its Gi0/2 interface. But as we are talking about a subinterface, there is also other subinterfaces that probably are sharing this physical interface.

- Jouni

View solution in original post

Jouni Forss · ‎04-30-2013

Hi,

Opposed to Cisco Routers, on the ASA you always state the interface "nameif" behind which a certain network is located. So you probably have a configuration command on the ASA like below

route XY 172.26.36.0 255.255.255.0 172.26.253.30

This basically tells the ASA that

Network 172.26.36.0/24 is located behind interface XY
The next hop to reach this network is the IP address 172.26.253.30

If you have access to the other networking devices and are just trying to check what path the traffic to that destination network takes through the devices then I guess you could track the MAC address of the next hop IP address to determine where that next hop IP address is located.

If you are using Cisco routers you could do something like this.

Use the command "show arp | inc 172.26.253.30" on the ASA to determine the MAC address of the next hop
Use the MAC address if there are switches in between to locate the actual router that owns the MAC address
- You should be able to use the command "show mac-address-table | inc " to see behind which port the MAC address is learned on a switch.
On any Cisco router you can use "show ip interface brief | inc 172.26.253.20" to check if the router has the IP address configured to one of its interfaces.
- If for some reason some router interface has multiple IP addresses you might have to simply use "show ip arp | inc 172.26.253.30" or perhaps "show configuration | inc 172.26.253.30" to start searching for the interface where the IP address is located.
- I guess also the command "show interface | inc interface|" might tell the interface where the MAC address is located.

On some switch/router network you might be able to track connected devices simply with the use of CDP, but ASA dont support this and CDP on switches and routers might commonly be disabled.

Usually when we are talking about any business network you should usually have some sort of network documentation that tells the locations of the devices and describes the topology and interfaces used to connect the devices. They should also contain the networks and IP addresses of interfaces too.

- Jouni

View solution in original post

Jouni Forss · ‎04-30-2013

Hi Mahesh,

The ASA isnt actually learning this route from anywhere other than its configuration. I mean if we use the term "learn" it would imply that we were using some dynamic routing protocol.

Notice that the route has "S" at the beginning of the output. This means its a static route. This again means its a route statictly configured by the admin on the ASA.

You can use the command "show run route" and the route for the network should be listed there.

All in all the route output above says the following

Its a Static route
Its a static route for the network 172.26.36.0/24
The next hop towards this network is the IP address 172.26.253.30
The route is using the interface named "XY"

Also about the interface. Yes, the interface Gi0/2.12 means that we are using the interface Gi0/2 as a Trunk interface towards the next device. So the next device is connected to the ASA by its Gi0/2 interface. But as we are talking about a subinterface, there is also other subinterfaces that probably are sharing this physical interface.

- Jouni

mahesh18 · ‎04-30-2013

Hi Jouni,

when you say

The route is using the interface named "XY does it mean that for destination route traffic is passing via interface XY and

its next hop is 172.26.253.30?

i traced the switch which connects to this ASA by its mac address.

thanks

mahesh

Jouni Forss · ‎04-30-2013

Hi,

Opposed to Cisco Routers, on the ASA you always state the interface "nameif" behind which a certain network is located. So you probably have a configuration command on the ASA like below

route XY 172.26.36.0 255.255.255.0 172.26.253.30

This basically tells the ASA that

Network 172.26.36.0/24 is located behind interface XY
The next hop to reach this network is the IP address 172.26.253.30

If you have access to the other networking devices and are just trying to check what path the traffic to that destination network takes through the devices then I guess you could track the MAC address of the next hop IP address to determine where that next hop IP address is located.

If you are using Cisco routers you could do something like this.

Use the command "show arp | inc 172.26.253.30" on the ASA to determine the MAC address of the next hop
Use the MAC address if there are switches in between to locate the actual router that owns the MAC address
- You should be able to use the command "show mac-address-table | inc " to see behind which port the MAC address is learned on a switch.
On any Cisco router you can use "show ip interface brief | inc 172.26.253.20" to check if the router has the IP address configured to one of its interfaces.
- If for some reason some router interface has multiple IP addresses you might have to simply use "show ip arp | inc 172.26.253.30" or perhaps "show configuration | inc 172.26.253.30" to start searching for the interface where the IP address is located.
- I guess also the command "show interface | inc interface|" might tell the interface where the MAC address is located.

On some switch/router network you might be able to track connected devices simply with the use of CDP, but ASA dont support this and CDP on switches and routers might commonly be disabled.

Usually when we are talking about any business network you should usually have some sort of network documentation that tells the locations of the devices and describes the topology and interfaces used to connect the devices. They should also contain the networks and IP addresses of interfaces too.

- Jouni

mahesh18 · ‎04-30-2013

Hi Jouni,

I was able to trace the connected switch by ASA mac address.thanks for explaining in depth.

Best regards

Mahesh