NAV and Cisco ASA

14 Apr 2009


      Hello,
Can someone please explain how NAV deals with Cisco ASA (or general DMZ/firewall appliances) when you have... lets say 10 virtual interfaces (sub interfaces, or VLAN interfaces)? Logically these different virtual interfaces are separated from eachother (like a general 'GW' or 'GSW' device), and I would imagine that NAV is confused about this. In my scenario, my NAV box is logically located on a Cisco ASA subinterface (a "DMZ"), but even if I add my default gateway (my vlans default GW) to NAV, it doesn't seem to poll ARP info from the Cisco ASA appliance.
As I said earlier, I can imagine that NAV doesn't know how to deal with or parse the output of its ARP table as it looks like something like this:
DMZ_1 192.168.1.130 0011.850f.2e01
        DMZ_1 192.168.1.111 000c.29d0.772b
        DMZ_1 192.168.1.116 000c.2949.e0dd
        DMZ_1 192.168.1.153 000c.29fd.a981
        DMZ_1 192.168.1.152 0013.2100.3a5b
        DMZ_1 192.168.1.112 000d.9d4b.039f
        DMZ_1 192.168.1.151 0015.1748.2291
        DMZ_1 192.168.1.115 0015.1748.2025
        DMZ_1 192.168.1.110 0015.1748.2639
        DMZ_2 192.168.2.18 001a.a04e.6701
        DMZ_2 192.168.2.13 0050.56a5.1974
        DMZ_2 192.168.2.31 4a62.1283.06f1
        DMZ_2 192.168.2.14 0050.56a5.4802
        DMZ_2 192.168.2.30 0050.56b2.25a5
        DMZ_2 192.168.2.29 0050.56b2.7c29
        DMZ_2 192.168.2.200 001a.e3b1.2888
        DMZ_2 192.168.2.27 0050.56b2.1531
        DMZ_2 192.168.2.26 0050.56b2.5466
        DMZ_2 192.168.2.10 0022.55ca.bf60
        DMZ_2 192.168.2.11 0015.1720.97d6
        DMZ_2 192.168.2.25 001e.c9d2.45ad
        DMZ_2 192.168.2.202 0022.919a.541b
        DMZ_2 192.168.2.20 0015.1774.6ed8
        DMZ_2 192.168.2.16 0015.1715.1f3c
        DMZ_2 192.168.2.12 0015.1720.95c5
        DMZ_2 192.168.2.17 0015.1715.1f31
        DMZ_2 192.168.2.22 0011.435a.f430
        DMZ_2 192.168.2.15 0015.171e.6381
        DMZ_2 192.168.2.28 0050.56b2.7394
        DMZ_2 192.168.2.21 0050.56b2.4c62
By all means, maybe I am mistaking - but can someone please enlighten me how to deal with these devices in NAV? Do I have to add *every* subinterface to NAV, or would it be sufficient to add whichever side is pointing towards my management network? As it appears now, NAV doesn't seem to poll ARP tables from this device (most likely because it doesn't know how to parse the table..)
I also understand that even if I managed to poll ARP data from this device, I would never be able to see a box's physical (port) location as the MAC-port map table is located on another device (the core and edge switch)
Thanks for any replies, and happy belated easter!
------------------------------------------------------
Vidar Stokkenes
Networking Consulant
Networking and telecom Department
HN IKT - Tromsø
Tlf:    +47 76 16 61 87 / +47 77 66 99 55
Cell:   +47 95 87 99 42
e-mail: vidar.stokkenes@hn-ikt.no
 Before printing, think about the environment

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

NAV and Cisco ASA