Welcome, Guest. Please login or register.

Author Topic: Reading ARP entries from virtual ASA firewalls  (Read 1696 times)

X-Byte

  • Guest
Reading ARP entries from virtual ASA firewalls
« on: July 10, 2014, 04:21:33 PM »
NeDi: 1.1.155
ASA: Cisco ASA5520 ( 8.4.3 ) running in virtual firewall context mode

After I provided NeDi with the necessary IO-Pty perl library and user/pass/enable credentials in nedi.conf I was eventually able to run a discovery with cli (ssh) support, hoping I'd be able to retrieve the ARP entries from the firewall contexts.
But it seems I'm having troubles with discovering ARP entries from virtual ASA firewall contexts. Maybe I'm missing something, but NeDi only discovers ARP entries of the management interface from the admin context, which is rather useless.

I would've expect NeDi to do something like this:

Determine if ASA is in single or multiple context mode
Code: [Select]
show mode
If the output contains "Security context mode: multiple", do the following to list all firewall contexts:
Code: [Select]
changeto system
show context detail

 and regex match every line containing
Code: [Select]
^Context "(.*)"
then iterating through each firewall context and fetching the ARP entries
Code: [Select]
changeto context"<match>"
show arp

So, is there any setting to enable multiple context support for ASAs in NeDi?

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2712
    • View Profile
    • NeDi
Re: Reading ARP entries from virtual ASA firewalls
« Reply #1 on: July 10, 2014, 08:25:31 PM »
Not yet, sorry. I can look into it though. A similar issue was mentioned with the config backup, BTW.
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

X-Byte

  • Guest
Re: Reading ARP entries from virtual ASA firewalls
« Reply #2 on: July 11, 2014, 10:28:07 AM »
That would be great.
Maybe you'll have to think of a whole different approach for virtual devices in the future?
Regarding the ASA it might be more consistent to list each virtual firewall context as a separate device? As each virtual firewall has its own virtual interfaces and configuration it's probably easier to integrate them as separate devices to adapt to the NeDi handling concept.
Still, the relation to the physical ASA needs to be visible in a way.

If you need any further information regarding commands/output of the ASA, don't hesitate to ask :)

makki

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Reading ARP entries from virtual ASA firewalls
« Reply #3 on: May 30, 2019, 09:54:28 AM »
Hi,

any news on this (NeDI supporting multiple contexts an ASA)

greets, Michael

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2712
    • View Profile
    • NeDi
Re: Reading ARP entries from virtual ASA firewalls
« Reply #4 on: June 03, 2019, 04:34:31 PM »
I haven't had any ASA context encounters since :-/

Did Cisco add a sh arp all or something in the meantime or is iterating through contexts still the only way?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo