ASA: Finding the IP Address on the Other End of a Link

ArchiTech89IT Security Engineer
Began in Novell & worked up to NDS architect. Along the way, got NT Server & 2008 certs. Got CCNA Security, & it's been security ever since.
Published:
Updated:
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty.

Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs. That's one great method that's unavailable to firewall engineers.

So how does one find the remote IP address? The quick answer is a qualified, "You can't."

But there are some great ideas for sleuthing this out, and it mostly has to do with the subnet mask.

For example, on many WAN links, a subnet mask of /30 (255.255.255.252) is used. If we look at it closely, that means there are only two possible hosts using that mask.

For example, if I had a subnet of 192.168.0.0 using a mask of 255.255.255.252, .0 would be the network itself. It follows that .3 would represent the broadcast address. That would leave .1 and .2 as possible hosts on that subnet.

Two possibilities alone! And that's one of the big reasons why these subnets are commonly used on links -- they don't waste precious IP address space, right?

So if you do have a /30 on your link, you already know the IP address of the remote interface -- you know it has to be the only other host address on that subnet. So in our example above, if my ASA's interface had .1, then the other side of that link would have to have .2 in order to communicate.

But what if you don't have a /30? What if it's a /29 (255.255.255.248), which is somewhat common depending on the needs in the data center?

In that case, you're going to have to dust off your detective gear. With a /29, there are six possible hosts on that subnet. So in our example above, with the subnet 192.168.0.0/29, .0 represents the network itself, and .7 would represent the broadcast address. So we'd be left with .1 through .6 as possible host addresses.

Now, say the ASA has .1 as before. That leaves five other addresses which could be configured on the interface on the other end of the link. How do I figure out which one was used?

What I'll have to do is ping. If I ping every other possible host address in the subnet, I can see if any are active. If they're all active (or more than one is active), I'm sort of done and will have to go ask someone who knows.

But if there's only one other address that replies to a ping, I already know that this must be the address configured on the remote interface.

There are other potential problems with a /29 and beyond. What if, for example, ICMP (for ping) has been turned off on the upstream router? Also, might I be able to take apart a packet and see the MAC address of the most recent hop? If I had that I could then check my ARP tables to see which IP address corresponded to that particular MAC address.

However, moving much beyond a /29 (/28, /27, /26 anybody?), you've got problems. And here's where I say it's just not possible to deduce the remote IP address and you'll have to ask someone who knows.

So all in all, you can do it if you invest a little time in detective work. And as firewall engineers, we do plenty of that already!
0
1,376 Views
ArchiTech89IT Security Engineer
Began in Novell & worked up to NDS architect. Along the way, got NT Server & 2008 certs. Got CCNA Security, & it's been security ever since.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.