By default, all ARP packets are allowed through the security appliance. You can control the flow of ARP packets by enabling ARP inspection.
When you enable ARP inspection, the security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
"If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.
"If there is a mismatch between the MAC address, the IP address, or the interface, then the security appliance drops the packet.
"If the ARP packet does not match any entries in the static ARP table, then you can set the security appliance to either forward the packet out all interfaces (flood), or to drop the packet.
Refer to Configuring ARP Inspection and Bridging Parameters for Transparent Mode for more information
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/bridgarp.html