Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13385
Views
9
Helpful
15
Replies

How can I find the upstream router / next hop for a given interface?

ArchiTech89
Level 1
Level 1

‎01-22-2016 05:47 PM - edited ‎03-08-2019 03:30 AM

I am working as a contractor in a new environment that includes over 100 ASAs (including the various security contexts), and I need to be able to ascertain the next hop for each of the interfaces on each of the devices.

Are there any tools, or are there ASA commands which would easily provide me that information?

I've asked this before in a different forum, but wasn't provided with a solution.

Is the ARP table my best bet? When I look there within a specific context, I see a few different entries but don't know how to determine which is the correct next hop. Also, I'm guessing that ASAs can't use CDP. But the firewall is configured with OSPF -- does that help my cause?

I'm not a complete newbie, but I'm also not years into these devices. Any help would be very gratefully acknowledged.

Cheers!

jeremyNLSO

P.S. I posted here because it basically applies to any interface. If it's the wrong place to post, I'll be happy to move it...

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
Labels:
0 Helpful
15 Replies 15

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-22-2016 11:15 PM

I don't think I fully understand what you want to achieve.  Would this not be as simple as going to each context and checking what the next hop is for the default gateway?

0 Helpful

ArchiTech89
Level 1
Level 1
In response to Philip D'Ath

‎01-23-2016 04:03 PM

Thanks for your reply.

I actually am not concerned with what the default route is, what I'm looking for is the next hop for each individual interface. More like a router than a switch. Does that make sense?

Thanks,

jeremyNLSO

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to ArchiTech89

‎01-23-2016 05:10 PM

To clarify, you mean you want to know what physical port each ASA is plugging into on the remote device?

Do you have access to the switches (this is much easier to do from the switch side)?

0 Helpful

ArchiTech89
Level 1
Level 1
In response to Philip D'Ath

‎04-07-2016 04:02 PM

Don't need to know the ports on the remote device. All I want is the IP address of the next hop on the interface.

So, for example, if it's a /30 WAN interface, the next hop would be the only other host IP address on that subnect (offered by the provider). If it's an internal router, the next hop would be the IP address assigned to the interface connected to on that router.

Basically, the upstream next hop IP address from each configured interface.

Thanks...

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to ArchiTech89

‎01-23-2016 11:21 PM 

Thanks for your reply.I actually am not concerned with what the default route is, what I'm looking for is the next hop for each individual interface. More like a router than a switch. Does that make sense?Thanks,jeremyNLSO

Hello Jeremy,

If i understand with your post, you would like to know what devices are connected with ASA interfaces. If yes , The try issuing show cap neighbours detail in ASA and see what are all you neighbouring devices.

Hope it Helps..

-GI

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Ganesh Hariharan

‎01-24-2016 12:09 AM

There is no such command on an ASA ... "show cap" shows a packet capture.

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-24-2016 12:31 AM

Oops...seems to be my MAC is auto filling ...

I want to type show cdp neighbours details.. but came out to be cap.

Anyway thanks for pointing ..

-GI

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Ganesh Hariharan

‎01-24-2016 12:33 AM

Alas there is no "show cdp neighbours" command either on an ASA.

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-24-2016 12:44 AM

Yea ...Just tried on my LAB ASA ..and got to know cdp is not supported with ASA. My bad.. Got one more stuff learned today .Then only think which can be useful s by seeing the ARP table and see what the next hop is, but that would only give you the Layer 3 device ( not specifying is it router or switch) , not the switch in between. -GI

Jon Marshall
Hall of Fame
Hall of Fame
In response to ArchiTech89

‎01-24-2016 08:01 AM

Jeremy

It's not entirely clear what you are asking for.

If you just want to see the next hop IPs then knowing the IP and subnet of the interface on the ASA and using the routing table you should be able to see routes with a next hop IP in the same IP subnet.

This would tell you the next hop L3 device for the ASA on that interface.

There might be more than one next hop though.

Jon

0 Helpful

ArchiTech89
Level 1
Level 1
In response to Jon Marshall

‎01-25-2016 09:20 AM

Thanks Jon. I thought of that too. My only problem is that the routing table is literally HUGE -- pages upon pages of lines in the case I'm trying to figure out right now.

Can someone refresh my memory about the command to find the route for a particular segment (as opposed to the default route)? I can't remember. But I do think this is my best bet.

BTW. In the current case, these are mostly /29s. Obviously that narrows it down, but it's not as good for me as a /30.

Also, sh arp is pretty helpful, but out of the 2 or 3 entries per named interface (it's an ASA thing), I can't tell definitively which one is the actual next hop for that interface.

Thanks so much for all the help...

jeremyNLSO

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to ArchiTech89

‎01-25-2016 09:28 AM

Jeremy

Not sure which command you mean but you could try -

"sh route <interface name>"

and this should show you all routes known via that interface.

Which for most cases should have the same next hop IP address although like I say there could be multiple next hops.

Jon

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-22-2016 11:16 PM

Perhaps check out this answer I gave someone wanting to do something similar but from switches.

https://supportforums.cisco.com/discussion/12757161/how-know-full-network-connectivity

0 Helpful

Khalid El-Assal
Level 1
Level 1

‎01-24-2016 11:49 AM

i believe your best options is to use:

show ip rpf <ip address>

 which should show you the reverse path from the ASA to the IP address you specific. You can choose different ip addresses that exist in different areas of your topology and based on the reverse path you can define the next hop ip address from the ASA. check the output of the command from my lab router below - with explanation :

R1#show ip rpf 192.168.203.1
RPF information for ? (192.168.203.1)
RPF interface: GigabitEthernet1/0 this is the output/egress interface on the router or ASA in your case 
RPF neighbor: ? (192.168.200.1) this is the next hob ip address 
RPF route/mask: 0.0.0.0/0
RPF type: unicast (static)
Doing distance-preferred lookups across tables
RPF topology: ipv4 multicast base, originated from ipv4 unicast base
R1#

if this helps please rate and mark the question as answered

....................

Regards, Khalid

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card