cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1107
Views
0
Helpful
4
Replies

How to know the connection between ASA and 6509 ?

wfqk
Level 5
Level 5

Hi, Two ASA firewalls work as failover. We suppose the primary ASA1 inside interface ip address is 192.168.1.1/24. From Catalyst 6509, we can see the ip address 192.168.1.1 and its mac address(both are from the ASA1) through show ip arp in the 6509. But when we show cdp neighbor in the 6509, we cannot see the ASA firewall. In the ASA1, we can see the 6509' ip address(vlan) and mac by show arp. Showing mac-address table in 6509 can not indicate the its relative port. So we do not know which port in the 6509 is connect to the ASA1. My question is how we can know which port in 6509 connect to the ASA1 ? Thank you

4 Replies 4

The ASA doesn't support CDP, so you can't use it to find neighbors.

But you should see the MAC address (which is seen in "show interface" on the ASA) on the switch.

As a last option, you could failover to the secondary ASA, log on to the other ASA (which is now the secondary) and shut the interface. On the c6k you'll see the port go down.

Thanks for your reply. Yes we can see mac of ASA and the switch by command show arp, but show mac-address-table in the switch do not show relative port. That is why we do not know which switch port are connect to The ASA.

Shunting down interface of ASA is not acceptable because it is in production environment 

I think each of failover asa(primary and secondary) must have two cable connected to each of two 6509. So each of 6509 also has two cable connected to two ASA, respectively

 

 

I assume that you did something wrong. The MAC should show up in the switch:

ASA5520/pri/act# sh interface inside | i MAC
    MAC address 0000.0c00.1111, MTU 1500

 

Core-SW#sh mac address-table address 0000.0c00.1111
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 101    0000.0c00.1111    DYNAMIC     Gi1/0/1
Total Mac Addresses for this criterion: 1
Core-Sw#

 

For shutting down the ASA-interface: 

You can shutdown the interface on the standby ASA without disrupting you communication as the standby ASA doesn't forward any traffic. And the "shut" command doesn't get replicated from the standby to the activa ASA.

You are right with "shut" and mac-address-table. 

If shut, the boss would know that and he will... though it does not hurt. With mac-address-table, if the SW get mac address from vlan, it does not show that ports, right ?