01-22-2016 05:47 PM - edited 03-08-2019 03:30 AM
I am working as a contractor in a new environment that includes over 100 ASAs (including the various security contexts), and I need to be able to ascertain the next hop for each of the interfaces on each of the devices.
Are there any tools, or are there ASA commands which would easily provide me that information?
I've asked this before in a different forum, but wasn't provided with a solution.
Is the ARP table my best bet? When I look there within a specific context, I see a few different entries but don't know how to determine which is the correct next hop. Also, I'm guessing that ASAs can't use CDP. But the firewall is configured with OSPF -- does that help my cause?
I'm not a complete newbie, but I'm also not years into these devices. Any help would be very gratefully acknowledged.
Cheers!
jeremyNLSO
P.S. I posted here because it basically applies to any interface. If it's the wrong place to post, I'll be happy to move it...
01-22-2016 11:15 PM
I don't think I fully understand what you want to achieve. Would this not be as simple as going to each context and checking what the next hop is for the default gateway?
01-23-2016 04:03 PM
Thanks for your reply.
I actually am not concerned with what the default route is, what I'm looking for is the next hop for each individual interface. More like a router than a switch. Does that make sense?
Thanks,
jeremyNLSO
01-23-2016 05:10 PM
To clarify, you mean you want to know what physical port each ASA is plugging into on the remote device?
Do you have access to the switches (this is much easier to do from the switch side)?
04-07-2016 04:02 PM
Don't need to know the ports on the remote device. All I want is the IP address of the next hop on the interface.
So, for example, if it's a /30 WAN interface, the next hop would be the only other host IP address on that subnect (offered by the provider). If it's an internal router, the next hop would be the IP address assigned to the interface connected to on that router.
Basically, the upstream next hop IP address from each configured interface.
Thanks...
01-23-2016 11:21 PM
Thanks for your reply.I actually am not concerned with what the default route is, what I'm looking for is the next hop for each individual interface. More like a router than a switch. Does that make sense?Thanks,jeremyNLSO
Hello Jeremy,
If i understand with your post, you would like to know what devices are connected with ASA interfaces. If yes , The try issuing show cap neighbours detail in ASA and see what are all you neighbouring devices.
Hope it Helps..
-GI
01-24-2016 12:09 AM
There is no such command on an ASA ... "show cap" shows a packet capture.
01-24-2016 12:31 AM
Oops...seems to be my MAC is auto filling ...
I want to type show cdp neighbours details.. but came out to be cap.
Anyway thanks for pointing ..
-GI
01-24-2016 12:33 AM
Alas there is no "show cdp neighbours" command either on an ASA.
01-24-2016 12:44 AM
01-24-2016 08:01 AM
Jeremy
It's not entirely clear what you are asking for.
If you just want to see the next hop IPs then knowing the IP and subnet of the interface on the ASA and using the routing table you should be able to see routes with a next hop IP in the same IP subnet.
This would tell you the next hop L3 device for the ASA on that interface.
There might be more than one next hop though.
Jon
01-25-2016 09:20 AM
Thanks Jon. I thought of that too. My only problem is that the routing table is literally HUGE -- pages upon pages of lines in the case I'm trying to figure out right now.
Can someone refresh my memory about the command to find the route for a particular segment (as opposed to the default route)? I can't remember. But I do think this is my best bet.
BTW. In the current case, these are mostly /29s. Obviously that narrows it down, but it's not as good for me as a /30.
Also, sh arp is pretty helpful, but out of the 2 or 3 entries per named interface (it's an ASA thing), I can't tell definitively which one is the actual next hop for that interface.
Thanks so much for all the help...
jeremyNLSO
01-25-2016 09:28 AM
Jeremy
Not sure which command you mean but you could try -
"sh route <interface name>"
and this should show you all routes known via that interface.
Which for most cases should have the same next hop IP address although like I say there could be multiple next hops.
Jon
01-22-2016 11:16 PM
Perhaps check out this answer I gave someone wanting to do something similar but from switches.
https://supportforums.cisco.com/discussion/12757161/how-know-full-network-connectivity
01-24-2016 11:49 AM
i believe your best options is to use:
show ip rpf <ip address>
which should show you the reverse path from the ASA to the IP address you specific. You can choose different ip addresses that exist in different areas of your topology and based on the reverse path you can define the next hop ip address from the ASA. check the output of the command from my lab router below - with explanation :
R1#show ip rpf 192.168.203.1
RPF information for ? (192.168.203.1)
RPF interface: GigabitEthernet1/0 this is the output/egress interface on the router or ASA in your case
RPF neighbor: ? (192.168.200.1) this is the next hob ip address
RPF route/mask: 0.0.0.0/0
RPF type: unicast (static)
Doing distance-preferred lookups across tables
RPF topology: ipv4 multicast base, originated from ipv4 unicast base
R1#
if this helps please rate and mark the question as answered
....................
Regards, Khalid
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide