NeDi Community

NeDi Software Specific => Discovery => Topic started by: X-Byte on July 10, 2014, 04:21:33 pm

Title: Reading ARP entries from virtual ASA firewalls
Post by: X-Byte on July 10, 2014, 04:21:33 pm

NeDi: 1.1.155
ASA: Cisco ASA5520 ( 8.4.3 ) running in virtual firewall context mode

After I provided NeDi with the necessary IO-Pty perl library and user/pass/enable credentials in nedi.conf I was eventually able to run a discovery with cli (ssh) support, hoping I'd be able to retrieve the ARP entries from the firewall contexts.
But it seems I'm having troubles with discovering ARP entries from virtual ASA firewall contexts. Maybe I'm missing something, but NeDi only discovers ARP entries of the management interface from the admin context, which is rather useless.

I would've expect NeDi to do something like this:

Determine if ASA is in single or multiple context mode

Code: [Select]

show mode
If the output contains "Security context mode: multiple", do the following to list all firewall contexts:

Code: [Select]

changeto system
show context detail

 and regex match every line containing

Code: [Select]

^Context "(.*)"
then iterating through each firewall context and fetching the ARP entries

Code: [Select]

changeto context"<match>"
show arp
So, is there any setting to enable multiple context support for ASAs in NeDi?

Title: Re: Reading ARP entries from virtual ASA firewalls
Post by: rickli on July 10, 2014, 08:25:31 pm

Not yet, sorry. I can look into it though. A similar issue was mentioned with the config backup, BTW.

Title: Re: Reading ARP entries from virtual ASA firewalls
Post by: X-Byte on July 11, 2014, 10:28:07 am

That would be great.
Maybe you'll have to think of a whole different approach for virtual devices in the future?
Regarding the ASA it might be more consistent to list each virtual firewall context as a separate device? As each virtual firewall has its own virtual interfaces and configuration it's probably easier to integrate them as separate devices to adapt to the NeDi handling concept.
Still, the relation to the physical ASA needs to be visible in a way.

If you need any further information regarding commands/output of the ASA, don't hesitate to ask :)

Title: Re: Reading ARP entries from virtual ASA firewalls
Post by: makki on May 30, 2019, 09:54:28 am

Hi,

any news on this (NeDI supporting multiple contexts an ASA)

greets, Michael

Title: Re: Reading ARP entries from virtual ASA firewalls
Post by: rickli on June 03, 2019, 04:34:31 pm

I haven't had any ASA context encounters since :-/

Did Cisco add a sh arp all or something in the meantime or is iterating through contexts still the only way?