Welcome, Guest. Please login or register.

Author Topic: Nodes behind ASA Firewall  (Read 1707 times)

ascii

  • Jr. Member
  • **
  • Posts: 82
    • View Profile
Nodes behind ASA Firewall
« on: May 08, 2013, 11:32:35 AM »
Hello together,

i have several Cisco ASAs in my environment.
they protect same critical system.

The ASAs are discovered by NeDi.
The link between MAC and IP of the Node works perfectly.

but when i take a look at the Node Details i see that they are connected to the ASA. Which is correct in a Layer3 view.
The Node itself is connected to a switch in a vlan for the critical systems.

Maybe it would be great to an extra field where is Layer3 interface is and where the physical Layer 2 connection is like on a normal Node.


rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2697
    • View Profile
    • NeDi
Re: Nodes behind ASA Firewall
« Reply #1 on: May 08, 2013, 07:08:35 PM »
Is this switch discoered properly as well? If the MAC is learned by that switch and the forwarding table is read properly, that MAC should be assigned to the actual switchport. You can easily follow that MAC by grepping (or simply searching in a text editor) on a -v output...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

ascii

  • Jr. Member
  • **
  • Posts: 82
    • View Profile
Re: Nodes behind ASA Firewall
« Reply #2 on: May 13, 2013, 07:08:13 AM »
yes they are discoverd on the switch.
i see it in the IF Change

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2697
    • View Profile
    • NeDi
Re: Nodes behind ASA Firewall
« Reply #3 on: May 13, 2013, 08:45:32 PM »
Ah they're flapping back and forth. Try creating a static link with Topology-Linked connecting the ASA to that switch. You should see MAC:neighbor on the interfaces to help you find the correct ones...

This might be automagic in 1.0.9...we'll see.

Additionally you can add the following line 867 in libcli-iopty.pm:

               $misc::portprop{$na}{$po}{rtr} = 1;

Which would increase the ASA interface's metric to router level, meaning it's less preferred than regular switch ports.
« Last Edit: May 13, 2013, 08:55:44 PM by rickli »
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

ascii

  • Jr. Member
  • **
  • Posts: 82
    • View Profile
Re: Nodes behind ASA Firewall
« Reply #4 on: May 14, 2013, 08:36:33 AM »
i just created the static link and added the line.
will report in a couple hours.