Not quite a dupe, but there's a similar question here, which has some suggestions about mapping an IP address to a switch port.
In this case, it sounds like the best option is to identify all switch ports that are connected to devices you know about. My suggestions for this (assuming Cisco managed routers/switches):
Identify known devices
From your first hop router(s), do a broadcast ping on each subnet that is trunked to a switch supporting the office space (as opposed to any data centre space you may have). Note, this should be the directed broadcast address of each subnet, rather than the 'all devices' broadcast IP of 255.255.255.255 In Cisco IOS, this can only be done from privileged exec mode. For example, to ping all machines on the subnet 192.168.100.0/25, use:
ping ip 192.168.100.127
This will populate the ARP cache of the router with entries for all machines on each subnet responding to ping.
Again on the first hop routers, extract the list of ARP entries for each subnet:
show ip arp interface vlan 100
This will give you all the IPs and MAC addresses of every device that responded to the ping. You can check the list of IPs against DNS (or another naming service) to identify the names of specific devices. Any IP address that you can't match a name to should be flagged for further investigation.
Map known devices to switch ports
Take the list of MAC addresses and use it to determine which switch port each device is connected to.
show mac-address-table address <mac-address>
Will show you the MAC address table entry for that particular MAC, including which switch port it's connected to. Alternatively:
show mac-address-table vlan <vlan number>
Will show you the MAC address table for all ports in that VLAN. Note, the default time out for MAC address tables on Cisco devices is 5 minutes; you may need to run your broadcast ping again in order to repopulate it.
Map unknown devices to switch ports
For those IPs that you couldn't map to known devices, the commands in the previous section will tell you which port you need to check.
Also, run:
show mac-address-table
with no arguments. Take the output, and remove the lines for any known MAC addresses, as well as any router-router and switch-switch links. The MAC addresses that you will be left with are devices that are connected to your switch, but aren't communicating via IP to your first hop routers. The ports these appear on should also be flagged for investigation.
Map flagged ports to outlets
For all the ports you have flagged (i.e. devices you can't identify), you'll need to do a physical trace from the switch port to the access port on the office floor. If you're lucky, your landlord will use managed cabling infrastructure; if not, be prepared to lift floor tiles and trace cables the old fashioned way. Best of luck.
You're not going to be able to achieve this with your current set up. As you're finding out, you're going to run into problems with asymmetric routing, and firewalls don't like that at all.
Ideally you need a router to sit between your firewall and your ISP's.
ISP1 ISP2
\ /
ROUTER
|
ASA
|
SERVERS
You then have a few options;
1) That router could then have policy based routing enabled and send reply traffic sourced with ISP1 address space via the ISP1 router, and reply traffic sourced with ISP2 address space via the ISP2 router. If you don't care about only using one link at a time for outbound connectivity then PBR isn't even necessary.
Or
2) you need some common public address space that both ISP's can use. To that end you'll either need to request some provider independent address space from your regional internet registry, or use the same ISP for both of your internet links, and use some BGP magic to tie it all together.
In both cases your firewall should have only one external interface.
Best Answer
You can set
exec-timeout
on the line you are using to configure it. The timeout is in minutes and0
means no timeout.Example: