• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Locating Firewall in a large network

A

azev

Golden Member
I am curious if anyone here knows of an easy way to identify a cisco firewall within a network without having any diagram or any information about the network.

I use CDP to identify most of the network devices connected to a switch, router, etc, but unfortunately no cdp/lldp can be enabled on asa.

Other than using the firewall mac address and then hunt for where that mac resides, is there a better way to do this ?
 
On those you have to search via MAC address. If you have Cisco works or Cisco Prime you can execute a network wide search for it also. Make sure to search inside the proper vlan also since MAC is not routeable.
 
I'd probably use NMAP. With that you can at least identify it as a Cisco device. Most everything else Cisco supports CDP so you can use process of elimination to figure out which is the ASA.

Also, once you narrow it down you can just enter the ip address into a browser using https. If the firewall admin didn't turn it off, you should see a landing page asking you to download ASDM. If you see that you are hitting an ASA.
 
mparr1708 said:
Most everything else Cisco supports CDP
Click to expand...

ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.
 
You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..




you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .
 
Lithium381 said:
You're assuming the ASA is running in l3 routed mode and not l2, or "bump in the wire" mode . .
imagoon - cisco asa's aren't always used simply as an edge NAT device.

you're also assuming it's not silently dropping your packets and it's transparent..




you know the mac address? do you also know the IP? Tracing hop by hop looking for a mac address using 'sh arp' and 'sh mac-ad' can be tedious, but it works! I've jumped through 10 switches to finally find which port my desired device was on. . .
Click to expand...

I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....
 
Last edited:
imagoon said:
ASA's don't.

I took this as "find which closet the ASA is stashed in." Finding it on the network (ip wise) is childs play.

Tracert to the internet and see where the packets go from a private to public IP and there you are.
Click to expand...

Which is why I said most everything else. IE use CDP to identify the rest. What you have left over narrows your pool of possible devices. Use NMAP to figure out which are Cisco devices. Try to hit a web based interface and see if you get lucky.
 
imagoon said:
I also assume that IT would know the management IP address.

No one runs them as pure L2 because they at least need to log in to maintain it periodically. Then again if you were dedicated to running console only I guess you could but I am going assume here for the moment that no one there is that in to that level of pain.

Granted the OP has an entirely undocumented network so.....
Click to expand...

depending on the size of the environment, they may have a management network completely out of band from the firewall's data traffic network
 
Thanks for the input guys, so far what I've been doing is exactly what you've guys posted. Find what the MAC address and then search for it in the switch where I think it is plugged into. I wished there are a better way and quicker way to do this, but looks like there isnt any.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top