I am working as a contractor in a new environment that includes over 100 ASAs (including the various security contexts), and I need to be able to ascertain the next hop for each of the interfaces on each of the devices.
Are there any tools, or are there ASA commands which would easily provide me that information?
I've asked this before in a different forum, but wasn't provided with a solution.
Is the ARP table my best bet? When I look there within a specific context, I see a few different entries but don't know how to determine which is the correct next hop. Also, I'm guessing that ASAs can't use CDP. But the firewall is configured with OSPF -- does that help my cause?
I'm not a complete newbie, but I'm also not years into these devices. Any help would be very gratefully acknowledged.
P.S. I posted here because it basically applies to any interface. If it's the wrong place to post, I'll be happy to move it...
Thanks for your reply.
I actually am not concerned with what the default route is, what I'm looking for is the next hop for each individual interface. More like a router than a switch. Does that make sense?
Don't need to know the ports on the remote device. All I want is the IP address of the next hop on the interface.
So, for example, if it's a /30 WAN interface, the next hop would be the only other host IP address on that subnect (offered by the provider). If it's an internal router, the next hop would be the IP address assigned to the interface connected to on that router.
Basically, the upstream next hop IP address from each configured interface.
Thanks for your reply.I actually am not concerned with what the default route is, what I'm looking for is the next hop for each individual interface. More like a router than a switch. Does that make sense?Thanks,jeremyNLSO
If i understand with your post, you would like to know what devices are connected with ASA interfaces. If yes , The try issuing show cap neighbours detail in ASA and see what are all you neighbouring devices.
Hope it Helps..
It's not entirely clear what you are asking for.
If you just want to see the next hop IPs then knowing the IP and subnet of the interface on the ASA and using the routing table you should be able to see routes with a next hop IP in the same IP subnet.
This would tell you the next hop L3 device for the ASA on that interface.
There might be more than one next hop though.
Thanks Jon. I thought of that too. My only problem is that the routing table is literally HUGE -- pages upon pages of lines in the case I'm trying to figure out right now.
Can someone refresh my memory about the command to find the route for a particular segment (as opposed to the default route)? I can't remember. But I do think this is my best bet.
BTW. In the current case, these are mostly /29s. Obviously that narrows it down, but it's not as good for me as a /30.
Also, sh arp is pretty helpful, but out of the 2 or 3 entries per named interface (it's an ASA thing), I can't tell definitively which one is the actual next hop for that interface.
Thanks so much for all the help...
i believe your best options is to use:
show ip rpf <ip address>
which should show you the reverse path from the ASA to the IP address you specific. You can choose different ip addresses that exist in different areas of your topology and based on the reverse path you can define the next hop ip address from the ASA. check the output of the command from my lab router below - with explanation :
R1#show ip rpf 192.168.203.1
RPF information for ? (192.168.203.1)
RPF interface: GigabitEthernet1/0 this is the output/egress interface on the router or ASA in your case
RPF neighbor: ? (192.168.200.1) this is the next hob ip address
RPF route/mask: 0.0.0.0/0
RPF type: unicast (static)
Doing distance-preferred lookups across tables
RPF topology: ipv4 multicast base, originated from ipv4 unicast base
if this helps please rate and mark the question as answered