Tyson,
I turned the default route around towards the inside interface
and I did not have the same problem. I am not sure I like that behavior, but it
is definitely something to know about!
Thanks!
Dave
From: Tyson Scott [mailto:[email protected]]
Sent: Sunday, September 12, 2010 11:44 PM
To: Mack, David A (Dave); 'Kingsley Charles'
Cc: 'OSL Security'
Subject: RE: [OSL | CCIE_Security] ASA ARP Inspection
I seem to remember this being an issue with ARP inspection. If you run the
default route in the opposite direction I don't think you will have the same
problem. I think it is only when it is going external. Test it turning the
interfaces around.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: [email protected]<mailto:[email protected]>
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit:
www.ipexpert.com/chat<http://www.ipexpert.com/chat>
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at
www.ipexpert.com/communities<http://www.ipexpert.com/communities> and our
public website at www.ipexpert.com<http://www.ipexpert.com/>
From: [email protected]
[mailto:[email protected]] On Behalf Of Mack, David A
(Dave)
Sent: Sunday, September 12, 2010 2:51 PM
To: 'Kingsley Charles'
Cc: OSL Security
Subject: Re: [OSL | CCIE_Security] ASA ARP Inspection
Kingsley,
The issue is with the ASA itself. I have static ARPs on the ASA
for the router on the inside and the router on the outside. I also have static
ARPs on each of the routers for the other router. The routers are working just
fine. In this scenario, the ASA only has a default route pointed to the IP
Address of the outside router. It should not have to ARP for any other remote
networks beyond the outside router, but rather forward to the MAC address of
the "default" gateway. However the ASA instead of using it's default route to
the outside router and static ARP for that router, ARPs for a remote network.
The inside router also has a default route and static ARP for the outside
router and it works fine. To summarize, the ASA is insisting on ARPing for
remote networks, even though it has a static default route and a static ARP
entry for the next hop of that default route. That ARP is what is failing ARP
inspection.
Thanks!
Dave
From: Kingsley Charles [mailto:[email protected]]
Sent: Sunday, September 12, 2010 12:39 PM
To: Mack, David A (Dave)
Cc: OSL Security
Subject: Re: [OSL | CCIE_Security] ASA ARP Inspection
Are you telling that the ARP inspection fails when you try to reach the remote
address from the ASA or from the router inside? Did you add static arp for the
remote IP address and the next hop router's mac address
With regards
Kings
On Sun, Sep 12, 2010 at 7:59 PM, Mack, David A (Dave)
<[email protected]<mailto:[email protected]>> wrote:
Hello everyone!
I ran into an issue with ASA ARP inspection and would like to know if I am
missing something and ask if anyone else has seen this behavior? In a nutshell,
if you want to do ARP inspection to prevent MitM attacks you can enable ARP
inspection with static ARP entries and combine that with no-flood to tighten it
up. For the routers on either side of the ASA, you will also need static ARP
entries. So in a practice lab, I did exactly that and the routers on either
side were fine. I was able forward traffic between them just fine, however it
appears as if the ASA itself is stupid. I had configured a management IP on the
Transparent sub-net, and configured a default route to one of the routers on
the outside interface. What happened was that the ASA will ARP for the
destination even though there is a static route with the next hop already there
and an ARP for the next-hop. The router on the outside interface be nice and
will proxy-arp respond, but ARP inspection will fail. If I disa
ble proxy-arp on the outside router, the ASA's arp just goes unanswered and
the ASA still cannot reach anything. Has anyone seen this?
Also, I ran across a potential time bomb, the router on the inside was a switch
using a SVI interface. When I rebooted it to do some validations, the MAC
address for the SVI interface changed! This broke my static arp entry for that
interface. I don't seem to recall a way to statically assign a mac address to a
SVI.
Thanks!
Dave
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
