I am in the process of having a vendor convert iptables configurations into ASA FirePower configurations. And I am testing using a couple of methods. I have taken the iptables log (which are primarily DROPs) and extracted IP addrs/ports and fed these into python / scapy code and sent them to the firewall. I have also taken the same extracted IP addrs/ports and turned them into "packet-tracer" command line entries and sent them to the ASA over an SSH connection. I have a limited lab environment, and I am running the ASA config on ESXi and using 2 Ubuntu 18.04 instances to send traffic and CLI requests to the ASA.
For the "packet-tracer" command line stuff, I am getting a LOT of "Drop-reason: (no adjacency) No valid adjacency". And when I create an adjacency (by adding an IP address on the ubuntu instance) I can fix the adjacency issue. But this seems cumbersome and there are far more IP addresses that I need to test than is practical to configure on the ubuntu box.
This would be a scary piece of code . . . but is there an app or can an app be configured (like netcat or some such) that would respond to arp requests for any IP address? Or are there other reasons the ASA would throw the adjacency error?
I am brand new to the ASA . . . and most of my research on adjacency errors refers to NAT'ing out the wrong interface, and I am not NATing these addresses.
Thanks in advance for the help