Steve Jennings
asked on
Testing an iptables to Cisco ASA conversion -- overcoming "no adjacency" errors
I am in the process of having a vendor convert iptables configurations into ASA FirePower configurations. And I am testing using a couple of methods. I have taken the iptables log (which are primarily DROPs) and extracted IP addrs/ports and fed these into python / scapy code and sent them to the firewall. I have also taken the same extracted IP addrs/ports and turned them into "packet-tracer" command line entries and sent them to the ASA over an SSH connection. I have a limited lab environment, and I am running the ASA config on ESXi and using 2 Ubuntu 18.04 instances to send traffic and CLI requests to the ASA.
For the "packet-tracer" command line stuff, I am getting a LOT of "Drop-reason: (no adjacency) No valid adjacency". And when I create an adjacency (by adding an IP address on the ubuntu instance) I can fix the adjacency issue. But this seems cumbersome and there are far more IP addresses that I need to test than is practical to configure on the ubuntu box.
This would be a scary piece of code . . . but is there an app or can an app be configured (like netcat or some such) that would respond to arp requests for any IP address? Or are there other reasons the ASA would throw the adjacency error?
I am brand new to the ASA . . . and most of my research on adjacency errors refers to NAT'ing out the wrong interface, and I am not NATing these addresses.
Thanks in advance for the help
SteveJ
For the "packet-tracer" command line stuff, I am getting a LOT of "Drop-reason: (no adjacency) No valid adjacency". And when I create an adjacency (by adding an IP address on the ubuntu instance) I can fix the adjacency issue. But this seems cumbersome and there are far more IP addresses that I need to test than is practical to configure on the ubuntu box.
This would be a scary piece of code . . . but is there an app or can an app be configured (like netcat or some such) that would respond to arp requests for any IP address? Or are there other reasons the ASA would throw the adjacency error?
I am brand new to the ASA . . . and most of my research on adjacency errors refers to NAT'ing out the wrong interface, and I am not NATing these addresses.
Thanks in advance for the help
SteveJ
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
WAA
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER