• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 25 subscribers
  • Views 890 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

IPAM Neighbor discovery with Cisco ASA Firewalls

agiacome

Hi all, does anybody knows if neighbor discovery or IP address scan is supported on Cisco ASA firewalls?

I bought this solution a year ago, and at that time after the deployment and confguration of the tool i've found that subnets routed on firewalls are not beeing scanned.

I read somewhere on the web that this is because the OID implementation on Cisco ASA firewalls does not have the ARP info.

I wounder if anybody has any experience over this scenario?

this has a solution already? or in the future?

thanks in advance and regards

  • 0

    IPAM 4.2 has neighbor discovery, but no mention of specific platforms. They mention specific SNMP OID's in the online manual:

    http://www.solarwinds.com/documentation/en/flarehelp/ipam/#ipv6monitoring.htm?Highlight=discover%20ipv6%20addresses

    "IPAM IPv6 address discovery is based on the NDP protocol and information is obtained from routers based on the following MIBs / OIDs:

        IPv6 MIB, OID 1.3.6.1.2.1.55.1.12.1.2 (ipv6NetToMediaTablePhysicalAddress)
        IP MIB, OID 1.3.6.1.2.1.4.35 (ipNetToPhysicalTable)

        ipv6NetToMediaValid - 1.3.6.1.2.1.55.1.12.1.6
        Cisco proprietary CISCO-IETF-IP-MIB , OID 1.3.6.1.4.1.9.10.86.1.1.3 (cInetNetToMediaTable)

    Note: For troubleshooting purposes verify the device OIDs with those listed above."

    The manual is not clear whether ALL of the OIDs are necessary or just some of them. The results of my testing against a 5585 running V9.1(1)4: using Engineer's Toolset SolarWinds MIB Viewer version 9.0.0.8:

    1.3.6.1.2.1.55.1.12.1.2    IPV6-MIB ipv6NetToMediaPhysAddress  **unsupported OID**

    1.3.6.1.2.1.4.35               IP-FORWARD-MIB ip.35                          **unsupported OID **

    1.3.6.1.2.1.55.1.12.1.6    IPV6-MIB ipv6NetToMediaPhysAddress  **unsupported OID**

    1.3.6.1.4.1.9.10.86.1.1.3 cInetToMediaTable is not supported on <device name>

    So I searched Cisco's MIB FTP site:

    ftp://ftp.cisco.com/pub/mibs/supportlists/asa/asa-supportlist.html

    They do list RFC1213-MIB.my for the ASA, but any attempt to get anything from ipNetToMediaTable 1.3.6.1.2.1.4.22 fails.

    So I see only a few possibilities:

    1. The ASA is so new that despite having at least a dozen of the most brilliant people working on it, Cisco has not been able to fix this problem in over 10 years. But it's still new, so please be patient.

    2. Cisco does not want you poking into their ASAs for any useful information like this. Go away. Be happy you have interface statistics

    3. There is some equivalent OID, carefully hidden under an obscure name devised by federal agents who are trying their best to protect the security of the free world.

    The link below s not authoritative, and is well hidden in an unlikely place given how serious managing security devices is, but it supports possibility #2 above:

    https://supportforums.cisco.com/document/7336/snmp-mibs-and-traps-asa-additional-information

    So the DMZ will remain the darkest, least documented network segment in the Enterprise.

    We are considering adding an L3 interface on our DMZ switches so that we can implement RA Guard, which ASA also does not support. We might get our neighbor table that way. I'm sure this is a problem all over the world as more and more people roll (stumble?) out IPv6.

    =Seymour=

  • 0 in reply to foonly

    Looks like this has been a feature request for a while: https://thwack.solarwinds.com/ideas/1605

    Please upvote this feature request to get some visibility on it!

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.