06-10-2008 01:39 AM - edited 03-11-2019 05:57 AM
Hi
We have only one host connected to a separate interface (dmz2). It is natted to a Public IP to allow it access to a partner network.
I want to make sure that no one (internally) spoofs the IP of this host or uses it's IP. I was looking at placing a static arp entry
and using dynamic arp inspection but it seems that this works only in transparent mode, but we have a routed mode running.
Is there any other way?
All help is appreciated
06-10-2008 03:40 AM
You could put a VLAN access-map or port-acl on the switch connected to the DMZ VLAN.
Also you can still put static arp enties in Routed mode, however ARP inspection is not supported in routed mode.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1600694
Regards
Farrukh
06-10-2008 08:28 AM
Thanks for the response.
I placed a static arp entry on the interface, but it seems if any other pc uses the same IP, it can pass through.
As for the port acl, due you mean to use a mac list on the port.
Thanks again.
06-10-2008 11:10 AM
yes or a VLAN access-map on the whole VLAN, whatever suits you, both are mutually exclusive.
Regards
Farrukh
06-10-2008 11:32 AM
Hello,
The following link could help also if you have the required IOS software on your switch.
06-10-2008 01:28 PM
Thanks for the feedback
I was wondering if it is possible using VACL, to limit access based on both the host's IP AND MAC address, since using a mac list on the port blocks mac address, but doesnt check IP addresses. I hope arp inspection can be made available on the ASA routed mode.
Thanks again
06-10-2008 11:37 PM
Its possible, but there is a very important Caveat, which I should have mentioned earlier, this is true for both mac ACLs on layer 2 (port ACLs) and mac ACLs inside Vlan Access Lists (VACLs):
"IP packets are matched against standard or extended IP access lists. *Non-IP packets* are only matched against named MAC extended access lists."
The ARP Inspection option on the switch is also a good suggestion made by amad.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: