How to find which port in the switch/router connected to the firewall?

Answered Question
Jul 22nd, 2010
User Badges:

Hi all,


Let say we have network setup as below.


http://www.cisco.com/image/gif/paws/71871/asa-pix-troubleshooting-1.gif


My question is:-

1. From the router, how to find which network port is connected to the firewall?

2. How about switch, is the same command used?

3. Is it possible to find which network port connected to the firewall from firewall console?


Thanks

Correct Answer by Jennifer Halim about 6 years 8 months ago

From the diagram, I assume that your ASA interface of 172.22.1.160 is connected to the switch instead of directly connected to the router.

If that is the case:

1) You would need to find the mac address of the ASA for that particular interface:

-- show interface

From the show interface output on the ASA, check out the interface mac address of the 172.22.1.160 interface.


2) Once you have the mac address, you can then connect to the switch where the ASA is connected, and issue:

-- show mac-address dynamic | i

This will tell you which switch port the ASA is connected to.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jennifer Halim Thu, 07/22/2010 - 02:48
User Badges:
  • Cisco Employee,

From the diagram, I assume that your ASA interface of 172.22.1.160 is connected to the switch instead of directly connected to the router.

If that is the case:

1) You would need to find the mac address of the ASA for that particular interface:

-- show interface

From the show interface output on the ASA, check out the interface mac address of the 172.22.1.160 interface.


2) Once you have the mac address, you can then connect to the switch where the ASA is connected, and issue:

-- show mac-address dynamic | i

This will tell you which switch port the ASA is connected to.


Hope that helps.

Adam David Thu, 07/22/2010 - 03:46
User Badges:

Many thanks to you again halijenn


It really help me in certain network...  but when I check on another router, this command below doesn't show anything .. what should I do in this case?

router#show mac-address dynamic | i

router#

Thanks

Jennifer Halim Thu, 07/22/2010 - 03:49
User Badges:
  • Cisco Employee,

That command can only be checked on a switch as switch would have the mac address table information.

On the router, normally you would need to get "show arp" and it will tell you which ip address has that particular mac address. However, that is not what you are trying to check for.


Do you know which switch the firewall is connected to? The switch should be the same switch where the router is actually connected to, and from the switch, you would be able to get which port the firewall is connected to.

Adam David Thu, 07/22/2010 - 07:10
User Badges:

Thanks halijenn for your reply


Yes I know the switch, but the design is a little bit different from the diagram above. The firewall is connected directly to the router. There is no switch between firewall & router.


http://imgsrc.com/imgbank/basicnetwo.png


I did show arp on the router and found only arp information on router interface facing to primary firewall. When I check router interface facing to failover firewall, I am suprised as there was no ip address assign to the router interface and the interface is shutdown.


Anyone ever see the same configuration?


Thanks

Jennifer Halim Thu, 07/22/2010 - 07:21
User Badges:
  • Cisco Employee,

Yup, that is the correct behaviour if you are directly connecting the router to the ASA with just a cable instead of going through the switch. You will only find the ARP entry for the primary ASA or whatever ASA is connected directly to the router. You won't be able to find the secondary ASA because it's not through a switch, as there is no connection between the router to the secondary ASA.


For ASA in failover mode, you would need to connect the ASA interfaces to a switch, and the router to the same switch for failover to work.


The ASA failover interface is probably directly connected to each other as well. It shouldn't go through/connected to a router. It would normally be connected directly to each other, or through a switch.


Router is L3, and if you like to connect multiple hosts within the same subnet, you would need to connect them to a switch. Whether they are L2 switch, or L3 switch separated with VLANs.

Adam David Sat, 07/24/2010 - 04:22
User Badges:

Thanks again for your advice.


I think we haven't discuss about question number 3 yet rite? I've modified it a little bit. Please let me know if my question is not clear.

3. Is it possible to find which network devices & specific port connected to the firewall from the firewall itself?

Probably this is the answer. Please let me know if you have other method to do this. In router/switch, we can do show cdp neighbors to see which device is connected to them. How about firewall as there is no such command on the firewall?


I believe we can find which devices connected to the firewall. Just issue show arp command on the firewall and let say we'll this output

Cisco-FW# show arp
        outside 10.86.194.61 0011.2094.1d2b 2
        outside 10.86.194.1 001a.300c.8000 -
        outside 10.86.195.2 00d0.02a8.440a alias

This input was taken from here...

http://www.ciscorouters.biz/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1302628


From here, we know that there are 3 ip addresses connected to the outside interface of the firewall. Let say we don't know what kind of device is this.

We can either telnet or ssh to them directly to see if we can access to them. From there, do

- show ip arp

- show mac-address table <mac address>

and we'll get the answer.


Please advice whether this is the correct way to find which network devices connected to the firewall and from which network port they are coming from.


Thanks

Actions

This Discussion