So you are trying to reach a remote network located on the outside of the ASA beyond the outside router from the ASA itself? Is this correct? Are you trying to ping from the ASA and not getting any response back?
Thanks and regards Yogesh Gawankar --- On Mon, 9/13/10, Mack, David A (Dave) <[email protected]> wrote: From: Mack, David A (Dave) <[email protected]> Subject: Re: [OSL | CCIE_Security] ASA ARP Inspection To: "'Kingsley Charles'" <[email protected]> Cc: "OSL Security" <[email protected]> Date: Monday, September 13, 2010, 4:51 AM Kingsley, The issue is with the ASA itself. I have static ARPs on the ASA for the router on the inside and the router on the outside. I also have static ARPs on each of the routers for the other router. The routers are working just fine. In this scenario, the ASA only has a default route pointed to the IP Address of the outside router. It should not have to ARP for any other remote networks beyond the outside router, but rather forward to the MAC address of the “default” gateway. However the ASA instead of using it’s default route to the outside router and static ARP for that router, ARPs for a remote network. The inside router also has a default route and static ARP for the outside router and it works fine. To summarize, the ASA is insisting on ARPing for remote networks, even though it has a static default route and a static ARP entry for the next hop of that default route. That ARP is what is failing ARP inspection. Thanks! Dave From: Kingsley Charles [mailto:[email protected]] Sent: Sunday, September 12, 2010 12:39 PM To: Mack, David A (Dave) Cc: OSL Security Subject: Re: [OSL | CCIE_Security] ASA ARP Inspection Are you telling that the ARP inspection fails when you try to reach the remote address from the ASA or from the router inside? Did you add static arp for the remote IP address and the next hop router's mac address With regards Kings On Sun, Sep 12, 2010 at 7:59 PM, Mack, David A (Dave) <[email protected]> wrote: Hello everyone! I ran into an issue with ASA ARP inspection and would like to know if I am missing something and ask if anyone else has seen this behavior? In a nutshell, if you want to do ARP inspection to prevent MitM attacks you can enable ARP inspection with static ARP entries and combine that with no-flood to tighten it up. For the routers on either side of the ASA, you will also need static ARP entries. So in a practice lab, I did exactly that and the routers on either side were fine. I was able forward traffic between them just fine, however it appears as if the ASA itself is stupid. I had configured a management IP on the Transparent sub-net, and configured a default route to one of the routers on the outside interface. What happened was that the ASA will ARP for the destination even though there is a static route with the next hop already there and an ARP for the next-hop. The router on the outside interface be nice and will proxy-arp respond, but ARP inspection will fail. If I disa ble proxy-arp on the outside router, the ASA's arp just goes unanswered and the ASA still cannot reach anything. Has anyone seen this? Also, I ran across a potential time bomb, the router on the inside was a switch using a SVI interface. When I rebooted it to do some validations, the MAC address for the SVI interface changed! This broke my static arp entry for that interface. I don't seem to recall a way to statically assign a mac address to a SVI. Thanks! Dave _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -----Inline Attachment Follows----- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
