cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

UDT and CISCO ASA's

We have a substantial amount of properties segmented off by cisco asa and UDT can't pull ARP information like it can on a switch/router. Is there any plan to better poll ASA?

19 Replies
Level 11

We have given up on UDT, it's not really fit for use without this feature and we have been waiting for 2+ years for the features that are required to make it useful.

Level 8

Couldn't agree more.  One thing that has helped in the mean time is having DHCP Snooping enabled on a switch behind the ASA so that the ARP table can be gathered.  Not 100% effective, but, at least it is something.

0 Kudos
Level 11

A question for the product manager's.

Will it pull this information from IPAM if it's monitoring DHCP on an Cisco ASA (or an Windows DHCP server)? Currently I'm starting to set up UDT and I'm seeing patchy mapping of MAC addresses to IP addresses. This seems to be down to different hardware at different sites (i.e. L3 Cisco switches as the default gateway vs ASA's).

Hi,

unfortunatelly,  UDT and IPAM are not integrated on this level so UDT won't show the IP information from ASAs.

Peter

Oh dear,

So with an Cisco ASA as the gateway, we don't have any option to get an mapping of IP address to Mac address with UDT?

Jon.

bump - just found this problem ourselves. can SW mention to Cisco as i know you disucuss a lot of functionality with them?

It would seem that only physical addresses of the ASA are supported in that required MIB. Looks like a very deliberate choice to not supply all of the information, so I'm unsure if Cisco will add support.

I think UDT being able to map Mac addresses via DHCP bindings in IPAM would be the best work around for the lack of information from the ASA. It'll also allow mapping in other situations where the default gateway is another system that does not supply the required information.

I agree here.

The ASA is a security device first and foremost.  SNMP can be considered a security risk, as could exposing IP/MAC Addresses.  Now, I know it functions as a router on many levels, but it is not one.  I'm assuming many of these decisions are made to help better secure the networks it serves.

Another issue that I have with Cisco's lack of SNMP support on ASAs is that they don't accept SNMP write commands on v1, v2c, or v3.  As stated here:

Here is the official Cisco document for SNMP configuration:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_snmp.html
Under the heading “Information About SNMP”, you will find it mentioned that ASA only supports read access through GET requests. ASA does not support write access.
This behavior is the same for all versions be it SNMP version 1, 2c or 3.

Would love to see if SW Community has any sway with Cisco Engineers.

0 Kudos
Level 9

I would also love this feature, we are in a unique situation. Most of our non Enterprise networks (Manufacturing Networks) sits behind Firewalls.

We have about 60 Cisco ASA Firewalls each with at least 2 routable subnets and using UDT we cannot retreive the IP's duo to the ASA's SNMP limitations due to security risk etc.

But we also have NCM and retreiving arp with a ssh session should be possible.

0 Kudos
Level 8

I would also like to add my desire for this feature. We are limited on IP address tracking for hundreds of devices in our datacenters because of it. I would add that using VRF's, where ARP information is on the routers has been a workaround.

0 Kudos

count me in as well typically our subnets use ASA's a there gatway

0 Kudos
Level 7

It really dosnt make sense, Why cant we enter credentials for the asa and pull additional information?

0 Kudos

I agree, NCM can execute command lines using SSH/Telnet against the devices and use the output for configuration capture, etc. it seems there should be an opportunity for those with UDT/NCM licenses to potentially gather ARP information that way.

0 Kudos

Hi,

For pieces of information that are not available via SNMP, products like CatTools or NCM are available.

Regards,

Jiri

0 Kudos
Level 16

Count me in on this....  our ASA's segment a huge DMZ....


0 Kudos

We definitely hear you and understand this request. Unfortunately Cisco doesn't expose the data we need via SNMP so it's much more complicated than adding some additional internal pollers.

The cisco ASA supports getting the ARP entries from the CLI, which NCM has the capability of doing.  Is this being considered?

0 Kudos

Makes sense... Thanks

0 Kudos
Level 9

+1 to this Request

We also have this problem and my information is that the ASA is not supported by UDT.

Maybe any of the Product Managers do know something about that.

Regards,

Mario

0 Kudos