Are you telling that the ARP inspection fails when you try to reach the remote address from the ASA or from the router inside? Did you add static arp for the remote IP address and the next hop router's mac address
With regards Kings On Sun, Sep 12, 2010 at 7:59 PM, Mack, David A (Dave) <[email protected]>wrote: > Hello everyone! > > I ran into an issue with ASA ARP inspection and would like to know if I am > missing something and ask if anyone else has seen this behavior? In a > nutshell, if you want to do ARP inspection to prevent MitM attacks you can > enable ARP inspection with static ARP entries and combine that with no-flood > to tighten it up. For the routers on either side of the ASA, you will also > need static ARP entries. So in a practice lab, I did exactly that and the > routers on either side were fine. I was able forward traffic between them > just fine, however it appears as if the ASA itself is stupid. I had > configured a management IP on the Transparent sub-net, and configured a > default route to one of the routers on the outside interface. What happened > was that the ASA will ARP for the destination even though there is a static > route with the next hop already there and an ARP for the next-hop. The > router on the outside interface be nice and will proxy-arp respond, but ARP > inspection will fail. If I disa > ble proxy-arp on the outside router, the ASA's arp just goes unanswered > and the ASA still cannot reach anything. Has anyone seen this? > > Also, I ran across a potential time bomb, the router on the inside was a > switch using a SVI interface. When I rebooted it to do some validations, the > MAC address for the SVI interface changed! This broke my static arp entry > for that interface. I don't seem to recall a way to statically assign a mac > address to a SVI. > > Thanks! > Dave > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
