Welcome, Guest. Please login or register.

Author Topic: Anyone got any Cisco ASA to work with nedi  (Read 7526 times)

MacBest

  • Newbie
  • *
  • Posts: 11
    • View Profile
Anyone got any Cisco ASA to work with nedi
« on: April 07, 2009, 09:34:18 AM »
Hi there,

I got a few ASAs and wanted the get the arp table out of this boxes.
It is not posible via snmp so the only way I see is via cli.
In 2007 there was a little discussion about it but no solution yet

The nedi cli stuff will not work on my ASAs.
I've defined them as
OS      IOS-fw
but I only get a red bulb in the cli line of Devices-Status.php
and port 23 is displayed even nedi  should connect via ssh not telnet.
(or do I have to configure something special to get ssh to work)

This is the way if I do it manually:

Code: [Select]
jbmpb:~ jb$ ssh <username>@asawzosued01
vpnbvrou@asawzosued01's password: <enablepassword>
Type help or '?' for a list of available commands.
asawzosued01> en
Password: <enablepassword>
asawzosued01# sh arp
        outside xxx.xxx.xxx.xxx 0012.ef20.aa03
        inside 192.168.74.203 0021.5acb.d042
        inside 192.168.74.200 0022.640c.0842
 


I also tried to put the following line into /opt/local/share/nedi/inc/libcli-netssh.pl
Code: [Select]
$cmd{'IOS-fw'}{'macd'} = 'sh arp';

But until ssh won't work this also will not work I think ;-)

So any help welcome

Greetings from Germany

J?rgen

rufer

  • Guest
Re: Anyone got any Cisco ASA to work with nedi
« Reply #1 on: April 14, 2009, 10:53:44 AM »
This is not very easy, because "sh arp" outputs names instead of IP addresses if you defined them.

The newest FWSM release finally permits to read ARP table by SNMP. But of course not with standard OIDs so it's currently not useable.

Greetings
Rufer

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2785
    • View Profile
    • NeDi
Re: Anyone got any Cisco ASA to work with nedi
« Reply #2 on: April 14, 2009, 07:23:24 PM »
I was thinking about an override option for standard sysdescr, to cather for exotics devices (like printers). This would go along an arp table override. Anyone got a spare ASA? Or can someone share the OID (hoping it's arranged like net2media)?
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

rufer

  • Guest
Re: Anyone got any Cisco ASA to work with nedi
« Reply #3 on: April 15, 2009, 11:55:35 AM »
This has not yet been implemented for the ASA, just for FWSM :(
FWSM is a bit difficult because you need a Catalyst 6500 chassis.

Greetings
Rufer

MacBest

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Anyone got any Cisco ASA to work with nedi
« Reply #4 on: April 15, 2009, 02:17:27 PM »
Oh I see that there are others people interested in getting infos out of the asa into nedi :)

The problem with the asa displaying names instead of IPs with a "sh arp" would be no problem for me because I only name devices in the asa config and not simple clients. So I could get a lot of information out of the box anyway.

Wouldn't it be possible to allow an external script to check the asa arp tables (e.g. via expect) and get the values back into nedi. If this will work we can put it in the nedi contib folder so everybody can use it.

Thanks in advance for any help

Juergen

tristanbob

  • Full Member
  • ***
  • Posts: 159
    • View Profile
Re: Anyone got any Cisco ASA to work with nedi
« Reply #5 on: June 03, 2010, 06:59:00 PM »
This guy wrote a function to pull the ARP table out of FWSM using SNMP.  He created it for Cacti, but perhaps this can be used in Nedi?  We just moved most of our datacenter to our FWSM, so we really miss seeing the ARP table!

http://forums.cacti.net/about32956.html&highlight=fwsm

Thanks,

Tristan

This is not very easy, because "sh arp" outputs names instead of IP addresses if you defined them.

The newest FWSM release finally permits to read ARP table by SNMP. But of course not with standard OIDs so it's currently not useable.

Greetings
Rufer
Please visit "Other"->"Invoices" on your NeDi installation to make an annual contribution and support Nedi!

shadowcaster

  • Guest
Re: Anyone got any Cisco ASA to work with nedi
« Reply #6 on: June 09, 2010, 09:36:22 AM »
I was submitting a patch for nedi to get both ipnettomedia and ipnettophysical tables aeons ago, for nedi 1.0, but it didn't make it to the code.

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2785
    • View Profile
    • NeDi
Re: Anyone got any Cisco ASA to work with nedi
« Reply #7 on: June 10, 2010, 10:05:50 PM »
Oi, I remember vaguely  :-[ Can you mail it to me? Must have gotten lost indeed...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

rufer

  • Guest
Re: Anyone got any Cisco ASA to work with nedi
« Reply #8 on: August 24, 2010, 09:40:16 AM »
Here is a FWSM (4.0 up) patch for nedi 1.0 libsnmp.pl

Code: [Select]
diff inc/libsnmp.pl.bak inc/libsnmp.pl
1198a1199
>       my $NmifO_fwsm  = "1.3.6.1.2.1.4.35.1.4";
1207c1208,1217
<       $r   = $session->get_table($NmifO);
---
>       if ($main::dev{$_[0]}{os} eq "IOS-fv"){
>               #fwsm arp table
>               $r   = $session->get_table($NmifO_fwsm);
>               #fwsm arp table has ip at index 13-16
>               $ip1=13; $ip2=14; $ip3=15; $ip4=16;
>
>       }else{
>               $r   = $session->get_table($NmifO);
>               $ip1=11; $ip2=12; $ip3=13; $ip4=14;
>       }
1217,1218c1227,1228
<                               $misc::arp{$mc} = "$i[11].$i[12].$i[13].$i[14]";
<                               $misc::rarp{"$i[11].$i[12].$i[13].$i[14]"} = $mc;               # will be needed to identify OUI uplinks;
---
>                               $misc::arp{$mc} = "$i[$ip1].$i[$ip2].$i[$ip3].$i[$ip4]";
>                               $misc::rarp{"$i[$ip1].$i[$ip2].$i[$ip3].$i[$ip4]"} = $mc;               # will be needed to identify OUI uplinks;

Explication: The ARP table OID for FWSM is 1.3.6.1.2.1.4.35.1.4 and the IP address is at index 13-16

Greetings
Rufer

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2785
    • View Profile
    • NeDi
Re: Anyone got any Cisco ASA to work with nedi
« Reply #9 on: August 25, 2010, 08:58:36 PM »
Merci, will try to add your suggestion...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo