I seem to remember this being an issue with ARP inspection. If you run the default route in the opposite direction I don't think you will have the same problem. I think it is only when it is going external. Test it turning the interfaces around.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Mack, David A (Dave) Sent: Sunday, September 12, 2010 2:51 PM To: 'Kingsley Charles' Cc: OSL Security Subject: Re: [OSL | CCIE_Security] ASA ARP Inspection Kingsley, The issue is with the ASA itself. I have static ARPs on the ASA for the router on the inside and the router on the outside. I also have static ARPs on each of the routers for the other router. The routers are working just fine. In this scenario, the ASA only has a default route pointed to the IP Address of the outside router. It should not have to ARP for any other remote networks beyond the outside router, but rather forward to the MAC address of the "default" gateway. However the ASA instead of using it's default route to the outside router and static ARP for that router, ARPs for a remote network. The inside router also has a default route and static ARP for the outside router and it works fine. To summarize, the ASA is insisting on ARPing for remote networks, even though it has a static default route and a static ARP entry for the next hop of that default route. That ARP is what is failing ARP inspection. Thanks! Dave From: Kingsley Charles [mailto:[email protected]] Sent: Sunday, September 12, 2010 12:39 PM To: Mack, David A (Dave) Cc: OSL Security Subject: Re: [OSL | CCIE_Security] ASA ARP Inspection Are you telling that the ARP inspection fails when you try to reach the remote address from the ASA or from the router inside? Did you add static arp for the remote IP address and the next hop router's mac address With regards Kings On Sun, Sep 12, 2010 at 7:59 PM, Mack, David A (Dave) <[email protected]> wrote: Hello everyone! I ran into an issue with ASA ARP inspection and would like to know if I am missing something and ask if anyone else has seen this behavior? In a nutshell, if you want to do ARP inspection to prevent MitM attacks you can enable ARP inspection with static ARP entries and combine that with no-flood to tighten it up. For the routers on either side of the ASA, you will also need static ARP entries. So in a practice lab, I did exactly that and the routers on either side were fine. I was able forward traffic between them just fine, however it appears as if the ASA itself is stupid. I had configured a management IP on the Transparent sub-net, and configured a default route to one of the routers on the outside interface. What happened was that the ASA will ARP for the destination even though there is a static route with the next hop already there and an ARP for the next-hop. The router on the outside interface be nice and will proxy-arp respond, but ARP inspection will fail. If I disa ble proxy-arp on the outside router, the ASA's arp just goes unanswered and the ASA still cannot reach anything. Has anyone seen this? Also, I ran across a potential time bomb, the router on the inside was a switch using a SVI interface. When I rebooted it to do some validations, the MAC address for the SVI interface changed! This broke my static arp entry for that interface. I don't seem to recall a way to statically assign a mac address to a SVI. Thanks! Dave _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
