2 Replies Latest reply on Feb 18, 2015 2:09 PM by jamie.burch

    IPAM Neighbor discovery with Cisco ASA Firewalls

    agiacome@directvla.com.ar

      Hi all, does anybody knows if neighbor discovery or IP address scan is supported on Cisco ASA firewalls?

      I bought this solution a year ago, and at that time after the deployment and confguration of the tool i've found that subnets routed on firewalls are not beeing scanned.

      I read somewhere on the web that this is because the OID implementation on Cisco ASA firewalls does not have the ARP info.

       

      I wounder if anybody has any experience over this scenario?

      this has a solution already? or in the future?

       

      thanks in advance and regards

        • Re: IPAM Neighbor discovery with Cisco ASA Firewalls
          foonly

          IPAM 4.2 has neighbor discovery, but no mention of specific platforms. They mention specific SNMP OID's in the online manual:

           

          http://www.solarwinds.com/documentation/en/flarehelp/ipam/#ipv6monitoring.htm?Highlight=discover%20ipv6%20addresses

           

          "IPAM IPv6 address discovery is based on the NDP protocol and information is obtained from routers based on the following MIBs / OIDs:

              IPv6 MIB, OID 1.3.6.1.2.1.55.1.12.1.2 (ipv6NetToMediaTablePhysicalAddress)
              IP MIB, OID 1.3.6.1.2.1.4.35 (ipNetToPhysicalTable)

              ipv6NetToMediaValid - 1.3.6.1.2.1.55.1.12.1.6
              Cisco proprietary CISCO-IETF-IP-MIB , OID 1.3.6.1.4.1.9.10.86.1.1.3 (cInetNetToMediaTable)

          Note: For troubleshooting purposes verify the device OIDs with those listed above."

           

          The manual is not clear whether ALL of the OIDs are necessary or just some of them. The results of my testing against a 5585 running V9.1(1)4: using Engineer's Toolset SolarWinds MIB Viewer version 9.0.0.8:

           

          1.3.6.1.2.1.55.1.12.1.2    IPV6-MIB ipv6NetToMediaPhysAddress  **unsupported OID**

          1.3.6.1.2.1.4.35               IP-FORWARD-MIB ip.35                          **unsupported OID **

          1.3.6.1.2.1.55.1.12.1.6    IPV6-MIB ipv6NetToMediaPhysAddress  **unsupported OID**

          1.3.6.1.4.1.9.10.86.1.1.3 cInetToMediaTable is not supported on <device name>

           

          So I searched Cisco's MIB FTP site:

           

          ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html

           

          They do list RFC1213-MIB.my for the ASA, but any attempt to get anything from ipNetToMediaTable 1.3.6.1.2.1.4.22 fails.

           

          So I see only a few possibilities:

           

          1. The ASA is so new that despite having at least a dozen of the most brilliant people working on it, Cisco has not been able to fix this problem in over 10 years. But it's still new, so please be patient.

           

          2. Cisco does not want you poking into their ASAs for any useful information like this. Go away. Be happy you have interface statistics

           

          3. There is some equivalent OID, carefully hidden under an obscure name devised by federal agents who are trying their best to protect the security of the free world.

           

          The link below s not authoritative, and is well hidden in an unlikely place given how serious managing security devices is, but it supports possibility #2 above:

           

          https://supportforums.cisco.com/document/7336/snmp-mibs-and-traps-asa-additional-information

           

          So the DMZ will remain the darkest, least documented network segment in the Enterprise.

           

          We are considering adding an L3 interface on our DMZ switches so that we can implement RA Guard, which ASA also does not support. We might get our neighbor table that way. I'm sure this is a problem all over the world as more and more people roll (stumble?) out IPv6.

           

          =Seymour=

          1 of 1 people found this helpful