Netbrain
Home NetBrain Product One-Skill-at-a-Time Search Mark Forums Read
Go BackThe Net-BrainerOne-Skill-at-a-Time ASA Routing,

Reply
 
Thread Tools Search this Thread Display Modes
Old 07-22-2009, 03:43 PM
Baldy2K Baldy2K is offline
 
Join Date: Jul 2009
Location: Chicago area
Posts: 17
Default ASA Routing,

While working on a path that crosses an ASA, Netbrain seems to struggle with pulling the route tables, or successfully interpreting the responses.

As an Example, I have an ASA that has an interface with of x.x.2.1, I'm attempting to generate the path to x.Y.2.1 which happens to be at another site at the other end of the network. Using SNMP discovery I get;

Discovering the path from x.x.2.1 to x.Y.2.1.

Current Device is ASA5550-1.
Retrieving matched route entry of x.Y.2.1 by SNMP.
Retrieving matched route entry of x.Y.2.0 by SNMP.
Retrieving matched route entry of x.Y.0.0 by SNMP.
.
. Omitted, what I see is a progressive decrease in prefix
. length back to the default route
.
.
Finish discovering the path.
Failed to find the path via SNMP discovery.The reason is:
No route entry to x.Y.2.1 in the route table of device x.x.53.1

So I can visually inspect and see that there was a route entry matched (assuming I've interpreted the output correctly) but the tool reports failure.

The route that exists is a /16 route for x.Y.0.0 this is observable from the ASA sh route commmand as well...

I'm sure I've missed something, but I have not found anything in the Docs to point me in the right direction.

Thoughts?
Reply With Quote
Old 07-23-2009, 06:21 AM
David.C David.C is offline
 
Join Date: May 2009
Posts: 118
Default Re: ASA Routing

Hi, Baldy2K:

With regards to the issue you asked above, I am sorry to tell you that we do not support finding a path through a Cisco ASA, we are considering to support this feature in the future release.

Thanks.

Last edited by David.C; 07-23-2009 at 06:26 AM.
Reply With Quote
Old 07-23-2009, 03:24 PM
Baldy2K Baldy2K is offline
 
Join Date: Jul 2009
Location: Chicago area
Posts: 17
Default Ouch...

Ok, are there any workarounds? Is there a way to treat the ASA object differently, say as a cloud object? Or is there a way to update the object with manually identified routes (our routing on the ASA involves Static routing only)

As to considering support, this is a very important aspect of our network design, being able to leverage Netbrain to understand, document, and troubleshoot Paths crossing ASAs (or most common firewalls for that matter) is a critical piece of the puzzle for my organization.

You really must move into the full support for the ASA...
Reply With Quote
Old 07-24-2009, 04:58 AM
David.C David.C is offline
 
Join Date: May 2009
Posts: 118
Default Path accross ASA


Preview Qmap: "Path accross ASA.qmap"


Thereís a way to get around this problem for you to take a try: add static route into ASA manually and then find the path through Simulation.
Here are the steps for you to follow:

1. Add a static route of the destination segment into the ASA configuration (right-click the ASA and select Device Configuration -> Show Baseline Configuration to open up the device configuration window).

Note: You neednít take any change if the routes already exist.

2. Press F3 to pop up the Simulation window, click the Run button to generate the simulation route table into the DataFolder you selected.

3. At the Traffic Path Analysis panel, type the names or IPs of the source and destination of the path. Next, click the drop-down button near the Find Path button, and then select Simulation. Finally, select the DataFolder which stores the simulated route tables.

4. Click the Find Path button to draw the path on a map.

Also, thanks for your suggestions, we will take these into our consideration.
Attached Files
File Type: qmap Path accross ASA.qmap (44.0 KB, 6 views)
Reply With Quote
Old 09-01-2009, 05:08 PM
Baldy2K Baldy2K is offline
 
Join Date: Jul 2009
Location: Chicago area
Posts: 17
Unhappy Re: ASA Routing,

Ok, it took me a while to get back to this. So I went through the steps described. Unfortunately, the simulator is struggling with a VRRP configuration. The route in the ASA points to the virtual IP of the VVRP peers here is the config snippet from the router for that interface;

interface vlan 50
description public2core
ip address 172.17.5.5 255.255.255.0
standby 50 ip 172.17.5.4
standby 50 priority 120
standby 50 preempt

You can see that the 172.17.5.4 address exists and is the proper next hop.

Yet the discovery output fails to pick up the nature of this config;

Discovering the path from 172.19.2.17 to 172.21.2.17.

Current Device is ASA5550-1.
Loading the route table of ASA5550-1.
Loaded the route table.
Get matched route entry for the destination.
Add the route hop, the next hop ip is 172.17.5.4.
Finish discovering the path.
Failed to find the path via simulation.The reason is:
No router has IP address 172.17.5.4


Thoughts?
Reply With Quote
Old 09-03-2009, 04:19 AM
David.C David.C is offline
 
Join Date: May 2009
Posts: 118
Default Re: ASA Routing,

Hi:

We are sorry to tell you that the VRRP is not supported in Simulation yet. To get around, you can try to draw the path manually:
1. Select Define Path Bezier tool from Q-map Draw Tools at the top right of toolbar, then the cursor will become a pencil.
2. Hold the left key of mouse and involve the devices of the path.
3. You can add, modify, or delete the hops of the path at the Edit Path window, click the OK button to finish.
Hope this helps.

Last edited by David.C; 09-17-2009 at 06:04 AM.
Reply With Quote
Old 09-14-2009, 05:45 PM
Baldy2K Baldy2K is offline
 
Join Date: Jul 2009
Location: Chicago area
Posts: 17
Default Re: ASA Routing,

LOL, your killing me!

well, ok... but this really needs to be on the road map... this technology is in wide use, if I'm to use the tool to simulate paths, then the tool needs to parse the VRRP, HSRP, or other redundancy configurations and make a reasoned "simulated" estimate of what interface would be active...
Reply With Quote
Old 09-20-2009, 11:35 PM
David.C David.C is offline
 
Join Date: May 2009
Posts: 118
Default Re: ASA Routing,

OK, thanks for your suggestion, and we'll add the support of HSRP/VRRP in the roadmap.
Reply With Quote
Reply

Bookmarks

Tags
Network Discovery, Routing

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Forum Jump

All times are GMT -4. The time now is 05:35 PM.
Powered by vBulletin
Copyright © 2000-2010 Jelsoft Enterprises Limited.
Copyright © 2009 NetBrain, Inc. All rights reserved.