Welcome, Guest. Please login or register.

Author Topic: Cisco ASA/PIX MIBs workaround idea  (Read 2619 times)

betabyte

  • Guest
Cisco ASA/PIX MIBs workaround idea
« on: October 10, 2012, 06:54:59 PM »
NeDi has made a huge impact in terms of visibility and tracking in our environment so a very big Thank you!

There is one hurdle that seems to still be out of reach due to vendor limitations and that is the PIX/ASA's lack of an SNMP MIB to pull ARP information.  We have ASA's with code lower than 8.4, so no luck there and we have an environment full of PIX's with 7.2 as the highest release.  Since our environment leverages the PIX/ASA's as the default GW with multiple networks behind it, the PIX/ASA hold all the arp information.  Now I could setup a router with an interface in each network, cron tclsh ping, but that's not scalable.

I'm wondering if I'm over thinking this as a solution, but could I grab the local arp table, expect, and directly insert the values into mysql into the "node" table.  I know I'll have to do some mathematics on the IP addresses so they have a unique value but if I went this route, what format would I hae to input the data into the Nedi nodes table?

Is there an easier solution to what I am trying to do?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2786
    • View Profile
    • NeDi
Re: Cisco ASA/PIX MIBs workaround idea
« Reply #1 on: October 10, 2012, 07:35:34 PM »
Yes, provide CLI credentials and get ASA ARP via SSH...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

betabyte

  • Guest
Re: Cisco ASA/PIX MIBs workaround idea
« Reply #2 on: October 10, 2012, 09:09:48 PM »
To save some time on figuring out the SQL input sting/format, what would that look like?

Do all the values have to be populated or just the nodeip, mac and vlanid?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2786
    • View Profile
    • NeDi
Re: Cisco ASA/PIX MIBs workaround idea
« Reply #3 on: October 10, 2012, 10:23:53 PM »
Not sure what you mean with sql and string format? Just make a usr entry in nedi.conf and click the radar button in Devices-System. You may need to reset the CLI settings (click on console image), if you have red bulb there...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

betabyte

  • Guest
Re: Cisco ASA/PIX MIBs workaround idea
« Reply #4 on: October 11, 2012, 01:14:02 AM »
Ah, I misunderstood what was meant by providing SSH credentials.  So here is a wrench in the mix, the environment that I am running NeDi off of is Non-PCI compliant so due to a multitude of restrictions I am not allowed to directly login from a non-compliant network.  Although they have no issues with non-compliant to compliant using SNMP....

The only workaround I can come up with is having the compliant server that can SSH into the FW initiate the connection to the non-compliant NeDi host.  It's screwy I completely agree, nevertheless, I ca get a flat file with the arp entries, how can I add them to the the sql db?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2786
    • View Profile
    • NeDi
Re: Cisco ASA/PIX MIBs workaround idea
« Reply #5 on: October 11, 2012, 05:53:04 PM »
In a cronjob with this command maybe?

http://dev.mysql.com/doc/refman/5.0/en/mysqlimport.html

Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo