Hello everyone! I ran into an issue with ASA ARP inspection and would like to know if I am missing something and ask if anyone else has seen this behavior? In a nutshell, if you want to do ARP inspection to prevent MitM attacks you can enable ARP inspection with static ARP entries and combine that with no-flood to tighten it up. For the routers on either side of the ASA, you will also need static ARP entries. So in a practice lab, I did exactly that and the routers on either side were fine. I was able forward traffic between them just fine, however it appears as if the ASA itself is stupid. I had configured a management IP on the Transparent sub-net, and configured a default route to one of the routers on the outside interface. What happened was that the ASA will ARP for the destination even though there is a static route with the next hop already there and an ARP for the next-hop. The router on the outside interface be nice and will proxy-arp respond, but ARP inspection will fail. If I disa ble proxy-arp on the outside router, the ASA's arp just goes unanswered and the ASA still cannot reach anything. Has anyone seen this?
Also, I ran across a potential time bomb, the router on the inside was a switch using a SVI interface. When I rebooted it to do some validations, the MAC address for the SVI interface changed! This broke my static arp entry for that interface. I don't seem to recall a way to statically assign a mac address to a SVI. Thanks! Dave _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
