ASA: Finding the IP Address on the Other End of a Link

Published on
3,819 Points
Last Modified:
Began in Novell & worked up to NDS architect. Along the way, got NT Server & 2008 certs. Got CCNA Security, & it's been security ever since.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty.

Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs. That's one great method that's unavailable to firewall engineers.

So how does one find the remote IP address? The quick answer is a qualified, "You can't."

But there are some great ideas for sleuthing this out, and it mostly has to do with the subnet mask.

For example, on many WAN links, a subnet mask of /30 ( is used. If we look at it closely, that means there are only two possible hosts using that mask.

For example, if I had a subnet of using a mask of, .0 would be the network itself. It follows that .3 would represent the broadcast address. That would leave .1 and .2 as possible hosts on that subnet.

Two possibilities alone! And that's one of the big reasons why these subnets are commonly used on links -- they don't waste precious IP address space, right?

So if you do have a /30 on your link, you already know the IP address of the remote interface -- you know it has to be the only other host address on that subnet. So in our example above, if my ASA's interface had .1, then the other side of that link would have to have .2 in order to communicate.

But what if you don't have a /30? What if it's a /29 (, which is somewhat common depending on the needs in the data center?

In that case, you're going to have to dust off your detective gear. With a /29, there are six possible hosts on that subnet. So in our example above, with the subnet, .0 represents the network itself, and .7 would represent the broadcast address. So we'd be left with .1 through .6 as possible host addresses.

Now, say the ASA has .1 as before. That leaves five other addresses which could be configured on the interface on the other end of the link. How do I figure out which one was used?

What I'll have to do is ping. If I ping every other possible host address in the subnet, I can see if any are active. If they're all active (or more than one is active), I'm sort of done and will have to go ask someone who knows.

But if there's only one other address that replies to a ping, I already know that this must be the address configured on the remote interface.

There are other potential problems with a /29 and beyond. What if, for example, ICMP (for ping) has been turned off on the upstream router? Also, might I be able to take apart a packet and see the MAC address of the most recent hop? If I had that I could then check my ARP tables to see which IP address corresponded to that particular MAC address.

However, moving much beyond a /29 (/28, /27, /26 anybody?), you've got problems. And here's where I say it's just not possible to deduce the remote IP address and you'll have to ask someone who knows.

So all in all, you can do it if you invest a little time in detective work. And as firewall engineers, we do plenty of that already!

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Join & Write a Comment

As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month