Finding which firewall a host is behind

suisse · ‎11-30-2017

Hello,

I have a very large network which has several firewalls. I have never seen some of these sites and I am wrapping my head around the network as a whole. I do not have a master topology map to show me the layout, so I have been using tracert and show ip route XXX to help troubleshoot where things are.

I have two remote sites than want to a firewall rule created to allow two machines to talk to each other, however I don't know the names or IPs of the firewalls these devices are sitting behind. Obviously tracert isn't going to reveal them.

My source IP machines are sitting behind a firewall somewhere that is blocking ICMP, therefore the best I can get from tracert is to the L3 switch at the site. I got inside the switch and ran a sh ip route <ip of src> and then I have been going down the list until I am directly connected to something.

Is there a better way to do this? Is there some sort of methods to better uncover where an IP sits on a massive network behind multiple firewalls when you have very little information?

Could you post any methods or tips you may have for this.

Flavio Miranda · ‎11-30-2017

Hi @suisse

If you have CDP enable would help a lot. Besides, you can do trace route and see the farther device you can get. Then, you can access this device and from it, ping the target IP address and try to see arp. Arp can help you identify to which interface the packet is going. Maybe the interface have some description on it. Again, CDP would help a lot.

-If I helped you somehow, please, rate it as useful.-

paul driver · ‎11-30-2017

Hello

Just like to add that CDP is proprietary to cisco so unless these fws or all other devices support cdp

(very unlikely) then CDP would not be very beneficial - However LLDP is a industry standard link protocol so you may have a better chance of discovering neighboring devices using that.

I would also check your vlan database, this would show what vlans are active and if some naming convention has been applied it may be possible to find what the vlan is for and also trace what interfaces are attached to them.

Lastly checking the mac- address on such interfaces will give you the OUI of that L2 address and from that you can find the manufacturer/vendor of the network card attached to that port.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jeroen Huysmans · ‎11-30-2017

Hi,

my steps would be:

- show ip route until you get to the end-point

- sh ip arp to resolve the last next-hop mac address

- sh mac address-table address to get the interface on which the next-hop is connected

however, this will only give you some identification (like someone mentioned: the OUI can tell you the vendor name) of the firewall.

Most firewalls will have multiple interfaces in multiple vlans. Tracing the route etc will not reveal the mgmt IP for that specific firewall.

There is a tool I really like to save time: netdisco

It will periodically gather arp-cache entries and mac-address table info from network devices it can "discover" (requires snmp ro access).

In your case (and if you can integrate this tool into the existing network) entering the destination IP would easily reveal the firewall it's behind; the mac-address which is associated to the IP and the switchport where the mac-address is connected to.

regards,

Jeroen