Hi Dave In transparent firewall, if the mac address is not in the mac address table then the ASA doesn't flood the packet to all the interfaces rather does the following:
- Sends ARP request for the IP address, if directly connected to find the interface on which the ARP response is got. - Send a Ping request to the IP address, if not directly connecred to find the interface on which the response is got. Does the ASA have mac-address of the outside router in it's mac table? Can you try adding mac-address-table static outside <router mac address> Just a try.... With regards Kings On Mon, Sep 13, 2010 at 12:21 AM, Mack, David A (Dave) <[email protected]>wrote: > Kingsley, > > The issue is with the ASA itself. I have static ARPs on the > ASA for the router on the inside and the router on the outside. I also have > static ARPs on each of the routers for the other router. The routers are > working just fine. In this scenario, the ASA only has a default route > pointed to the IP Address of the outside router. It should not have to ARP > for any other remote networks beyond the outside router, but rather forward > to the MAC address of the “default” gateway. However the ASA instead of > using it’s default route to the outside router and static ARP for that > router, ARPs for a remote network. The inside router also has a default > route and static ARP for the outside router and it works fine. To summarize, > the ASA is insisting on ARPing for remote networks, even though it has a > static default route and a static ARP entry for the next hop of that default > route. That ARP is what is failing ARP inspection. > > > > Thanks! > > Dave > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Sunday, September 12, 2010 12:39 PM > *To:* Mack, David A (Dave) > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] ASA ARP Inspection > > > > Are you telling that the ARP inspection fails when you try to reach the > remote address from the ASA or from the router inside? Did you add static > arp for the > remote IP address and the next hop router's mac address > > > With regards > Kings > > On Sun, Sep 12, 2010 at 7:59 PM, Mack, David A (Dave) <[email protected]> > wrote: > > Hello everyone! > > I ran into an issue with ASA ARP inspection and would like to know if I am > missing something and ask if anyone else has seen this behavior? In a > nutshell, if you want to do ARP inspection to prevent MitM attacks you can > enable ARP inspection with static ARP entries and combine that with no-flood > to tighten it up. For the routers on either side of the ASA, you will also > need static ARP entries. So in a practice lab, I did exactly that and the > routers on either side were fine. I was able forward traffic between them > just fine, however it appears as if the ASA itself is stupid. I had > configured a management IP on the Transparent sub-net, and configured a > default route to one of the routers on the outside interface. What happened > was that the ASA will ARP for the destination even though there is a static > route with the next hop already there and an ARP for the next-hop. The > router on the outside interface be nice and will proxy-arp respond, but ARP > inspection will fail. If I disa > ble proxy-arp on the outside router, the ASA's arp just goes unanswered > and the ASA still cannot reach anything. Has anyone seen this? > > Also, I ran across a potential time bomb, the router on the inside was a > switch using a SVI interface. When I rebooted it to do some validations, the > MAC address for the SVI interface changed! This broke my static arp entry > for that interface. I don't seem to recall a way to statically assign a mac > address to a SVI. > > Thanks! > Dave > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
