That's interesting but strange. Dave, can you explain the problem with a topology and the solution that fixed the problem, so that it will be helpful to us.
With regards Kings On Mon, Sep 13, 2010 at 6:51 PM, Mack, David A (Dave) <[email protected]>wrote: > Tyson, > > I turned the default route around towards the inside > interface and I did not have the same problem. I am not sure I like that > behavior, but it is definitely something to know about! > > > > Thanks! > Dave > > > > > > *From:* Tyson Scott [mailto:[email protected]] > *Sent:* Sunday, September 12, 2010 11:44 PM > *To:* Mack, David A (Dave); 'Kingsley Charles' > *Cc:* 'OSL Security' > *Subject:* RE: [OSL | CCIE_Security] ASA ARP Inspection > > > > I seem to remember this being an issue with ARP inspection. If you run the > default route in the opposite direction I don't think you will have the same > problem. I think it is only when it is going external. Test it turning the > interfaces around. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mack, David A > (Dave) > *Sent:* Sunday, September 12, 2010 2:51 PM > *To:* 'Kingsley Charles' > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] ASA ARP Inspection > > > > Kingsley, > > The issue is with the ASA itself. I have static ARPs on the > ASA for the router on the inside and the router on the outside. I also have > static ARPs on each of the routers for the other router. The routers are > working just fine. In this scenario, the ASA only has a default route > pointed to the IP Address of the outside router. It should not have to ARP > for any other remote networks beyond the outside router, but rather forward > to the MAC address of the “default” gateway. However the ASA instead of > using it’s default route to the outside router and static ARP for that > router, ARPs for a remote network. The inside router also has a default > route and static ARP for the outside router and it works fine. To summarize, > the ASA is insisting on ARPing for remote networks, even though it has a > static default route and a static ARP entry for the next hop of that default > route. That ARP is what is failing ARP inspection. > > > > Thanks! > > Dave > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Sunday, September 12, 2010 12:39 PM > *To:* Mack, David A (Dave) > *Cc:* OSL Security > *Subject:* Re: [OSL | CCIE_Security] ASA ARP Inspection > > > > Are you telling that the ARP inspection fails when you try to reach the > remote address from the ASA or from the router inside? Did you add static > arp for the > remote IP address and the next hop router's mac address > > > With regards > Kings > > On Sun, Sep 12, 2010 at 7:59 PM, Mack, David A (Dave) <[email protected]> > wrote: > > Hello everyone! > > I ran into an issue with ASA ARP inspection and would like to know if I am > missing something and ask if anyone else has seen this behavior? In a > nutshell, if you want to do ARP inspection to prevent MitM attacks you can > enable ARP inspection with static ARP entries and combine that with no-flood > to tighten it up. For the routers on either side of the ASA, you will also > need static ARP entries. So in a practice lab, I did exactly that and the > routers on either side were fine. I was able forward traffic between them > just fine, however it appears as if the ASA itself is stupid. I had > configured a management IP on the Transparent sub-net, and configured a > default route to one of the routers on the outside interface. What happened > was that the ASA will ARP for the destination even though there is a static > route with the next hop already there and an ARP for the next-hop. The > router on the outside interface be nice and will proxy-arp respond, but ARP > inspection will fail. If I disa > ble proxy-arp on the outside router, the ASA's arp just goes unanswered > and the ASA still cannot reach anything. Has anyone seen this? > > Also, I ran across a potential time bomb, the router on the inside was a > switch using a SVI interface. When I rebooted it to do some validations, the > MAC address for the SVI interface changed! This broke my static arp entry > for that interface. I don't seem to recall a way to statically assign a mac > address to a SVI. > > Thanks! > Dave > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
