Welcome, Guest. Please login or register.

Author Topic: Getting the ARP cache from Cisco ASA 5520  (Read 6488 times)

X-Byte

  • Guest
Getting the ARP cache from Cisco ASA 5520
« on: November 04, 2012, 10:26:12 PM »
I've searched the forum and found a few very old posts related to ARP cache extraction from Cisco ASAs.
Still, I don't really understand if there's currently a way for NeDi to get the ARP cache from the ASAs at all.

If there's a way, could someone please provide me with a short instruction on how to do that?

Thanks in advance.

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2737
    • View Profile
    • NeDi
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #1 on: November 04, 2012, 11:16:28 PM »
Unfortunately there are no ARP entries accessible via SNMP. You need to provide user credentials in nedi.conf and let it use telnet or SSH...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

X-Byte

  • Guest
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #2 on: November 05, 2012, 04:12:49 PM »
Great!
I've tried that but without luck. A verbose output of the relevant section gives me this:
Code: [Select]
Prepare (CLI)  ----------------------------------------------------------------
SSH :nedi:22 Tout:2s OS:IOS-fw EN:(.+?)#\s?$
PTY :Forking ssh -o 'StrictHostKeyChecking no' -l nedi 10.76.0.6
CLI2:Matched password:, sending password
CLI3:Password sent
darasa01/admin> , enabling
CLI7:Matched Password:, sending password
ERR :
SSH :michel:22 Tout:2s OS:IOS-fw EN:(.+?)#\s?$
PTY :Forking ssh -o 'StrictHostKeyChecking no' -l michel 10.76.0.6
CLI2:Matched password:, sending password
CLI3:Password sent
CLI3:Matched denied, login failed
DISC:Cli arp = login failed

Somehow there's a problem when entering enable mode.
I verified the user and password with logging in manually, also entering enable mode with the same user password.
Any idea what's wrong?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2737
    • View Profile
    • NeDi
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #3 on: November 05, 2012, 05:55:29 PM »
Strange that there is Err: and nothing else! Have you tried debug mode (-d) and tail -f on the resulting log files? Guess this will be material for the next tutorial...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

X-Byte

  • Guest
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #4 on: November 06, 2012, 11:09:03 AM »
Tried the debug switch and after finding out where the debug log files are located (input.log / output.log in the nedi program directory ;) here's what I got:

input.log
Code: [Select]
<password>^Menable^MI replaced the actual password here with <password>. The password is correctly displayed in the input log.
I don't know if it's important, but the password has 14 characters and contains ! and $ as special characters. Maybe there's some scripting/variable side effect especially with the $ ?
I suppose the first password sent is for the ssh login but it seems the password for enable mode is actually never sent at all?

output.log
Code: [Select]
nedi@10.76.0.6's password:
Type help or '?' for a list of available commands.
^Mdarasa01/admin> enable
Password:
password:
The above output is unmodified
« Last Edit: November 06, 2012, 11:43:48 AM by X-Byte »

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2737
    • View Profile
    • NeDi
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #5 on: November 07, 2012, 10:28:45 PM »
ok, I'll try to reproduce this, but could you try a simpler enable password just to see what happens?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2737
    • View Profile
    • NeDi
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #6 on: November 10, 2012, 06:02:44 PM »
I just realised, that you need to adjust the .def have old (or anything else) selected to get arp entries...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

X-Byte

  • Guest
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #7 on: November 20, 2012, 02:11:20 PM »
Is there any updated def file available?
What exactly do i have to adjust?

Thanks :)

X-Byte

  • Guest
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #8 on: November 24, 2012, 12:13:40 PM »
Remo, could you help me out with this please? I'm stuck.

tolmstev

  • Guest
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #9 on: December 01, 2012, 06:29:07 AM »
Any progress on this? I'm having the same issue with Cisco ASA5585.

X-Byte

  • Guest
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #10 on: December 06, 2012, 07:18:17 PM »
I guess only the NeDi master himself can enlighten us  :'(

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2737
    • View Profile
    • NeDi
Re: Getting the ARP cache from Cisco ASA 5520
« Reply #11 on: December 15, 2012, 11:33:55 AM »
:D if the ARP/ND option is set to none in Defgen, the ARP cache won't be read via SSH. Set it to anything else and it should work. Look at the CLI tutorial if it doesn't...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo