Solved: asa port ip's

tolinrome tolinrome · ‎01-21-2014

On an ASA firewall I have a few cables plugged into ports. No IP addresses are assigned to ports (show interfaces details verifies that). But, a show run verfies that interface vlans have been created with ip addresses assigned.

1. Why would the ip not be be assigned staticlly to the port but be assigned via int vlan?

2. How can I tell which are the ports numbers that are assigned these IP? I know for sure for example say port 0/5 has one of the IP's but when I do a show interfaces details or any other comand that I can think of (show run, show vlan) it doesnt show me the port has an IP.

Thanks.

Jouni Forss · ‎01-21-2014

Hi,

The IP address of any Vlan interface is not located at any of the physical interfaces themselves.

Also, by default every interface on the ASA5505 belongs to Vlan 1 as is with the Cisco L2/L3 switches. As this is a default setting it doesnt show up in the configurations while "switchport access vlan 2" which is nondefault setting will show up or any other Vlan that might be used in that command.

I am not sure what devices you have connected to the ASA. Do you perhaps have an internal router? If you only have hosts directly connected to the ASA then this means that the my earlier mentioned way will tell you remotely which host is behind which port of the ASA based on its IP/MAC address and checking the ARP/MAC table of the ASA.

Naturally if you have a router behind the ASA then you can just find the routers IP address in the ASAs ARP table then find the MAC address mentioned in the ARP from the MAC address table and this will tell the physical port behind which the the device is located.

- Jouni

View solution in original post

Jouni Forss · ‎01-21-2014

Hi,

I assume that you are talking about ASA5505 model.

The ASA5505 is different from all the other ASA models in that its actually more like a L3 switch. It means that its ports are L2 switch ports and the L3 ports are the Vlan interfaces (though naturally in the L3 switches you would have the option to configure a port as a routed/router port rather than switchport but this does not apply to the ASA)

This is why all the IP addresses are assigned to the Vlan interfaces and not the physical ports themselves. Other ASAs have the IP addresses configured either on the physical ports or subinterfaces of the physical port if you are using Trunk interfaces. There are also some other logical interfaces that might hold IP addresses in other models.

So the physical ports dont have IP addresses configured on them at any point on the ASA5505 model

If you on the other hand want to determine behind which physical interface a particular host is (if you have them directly connected to the ASA switch module) based on its IP address then you can use ARP and MAC table to help with this

You can issue this command to view the ARP table

show arp

You will then see IP/MAC address pairs.

If you want to know behind which physical port a certain host with certain IP address is locate then you would do this

Issue the "show arp" command and check the MAC address of the IP address in question
Issue the command "show switch mac-address-table | inc aaaa.bbbb.cccc" command (where you enter the actual MAC address naturally) which will show you the port behind which the host is located. Naturally you can just use the actual command "show switch mac-address-table" and have a look at the whole MAC address table.

Hope this helps

- Jouni

tolinrome tolinrome · ‎01-21-2014

Thanks for the explination.

I noticed that if I do a show run, there are two interface vlans (vlan1 and vlan2). Vlan1 is assigned assigned inside with internal private IP but I still cant tell which physical port has that IP, which port is using it. Vlan2 is assigned outside with a public IP and on the show run one of the interfaces has vlan2 assigned to it. Strange, because vlan1 is defintely up but I dont see any interface assigned to it and the inside network is up. I still cant figure out how to verify what port the inside cable is connected to.

Jouni Forss · ‎01-21-2014

Hi,

The IP address of any Vlan interface is not located at any of the physical interfaces themselves.

Also, by default every interface on the ASA5505 belongs to Vlan 1 as is with the Cisco L2/L3 switches. As this is a default setting it doesnt show up in the configurations while "switchport access vlan 2" which is nondefault setting will show up or any other Vlan that might be used in that command.

I am not sure what devices you have connected to the ASA. Do you perhaps have an internal router? If you only have hosts directly connected to the ASA then this means that the my earlier mentioned way will tell you remotely which host is behind which port of the ASA based on its IP/MAC address and checking the ARP/MAC table of the ASA.

Naturally if you have a router behind the ASA then you can just find the routers IP address in the ASAs ARP table then find the MAC address mentioned in the ARP from the MAC address table and this will tell the physical port behind which the the device is located.

- Jouni

tolinrome tolinrome · ‎01-21-2014

Thanks for the explination.