show arp

Unanswered Question
Aug 4th, 2008
User Badges:

when i do a show arp on my pix 501 i get this back:


AB01-BM-PIX(config)# show arp

outside 192.168.1.1 0002.cf0f.7109

outside 10.228.192.110 0002.cf0f.710e

outside 67.79.67.245 0002.cf0f.7109

inside 10.13.2.106 0080.6469.418c

inside 10.13.2.103 0080.6421.29f9

inside 10.13.2.105 0080.6469.4061

inside 10.13.2.60 001e.0b17.8990

inside 10.13.2.102 0080.6421.29fa

inside 10.13.2.63 0001.e679.b0c1

inside 10.13.2.101 0080.641c.32d5

inside 10.13.2.100 0080.6467.9dbb

inside 10.13.2.104 0080.641e.100b

inside 10.13.2.35 0008.8320.5840


I should only see:


outside 67.79.67.245

witch is my default gateway (route outside 0.0.0.0 0.0.0.0 67.79.67.245 1

)


so why i am seeing these others and how do i take them out!


any ideas?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 08/04/2008 - 09:05
User Badges:
  • Red, 2250 points or more

No it should not 'disconnect' them, but it might cause a slight delay (to re-learn the ARPs)


Regards


Farrukh

Farrukh Haroon Mon, 08/04/2008 - 08:57
User Badges:
  • Red, 2250 points or more

It is normal to find the ARP entries of LAN hosts in the arp table of the ASA/PIX/FWSM.

Have a look at this:


http://wiki.wireshark.org/Gratuitous_ARP


"Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces."


It is also populated when clients connect through the firewall to other zones. And as others pointed out, you can do 'clear arp' if you wish.


Regards


Farrukh

Danny Guillory Jr Mon, 08/04/2008 - 09:58
User Badges:

ok i cleared the arp and the ips were gone! i checked show arp again 10 min later and those ip's are back!!!!!


any ideas?

dhananjoy chowdhury Mon, 08/04/2008 - 10:15
User Badges:
  • Silver, 250 points or more

Hi,

Is the outside interface connected to a Switch with default VLAN or an unmanaged switch ?

And other systems/devices are also connected on this switch?


Danny Guillory Jr Mon, 08/04/2008 - 10:20
User Badges:

at this location there should BE NOTHING else plugged in the switch! We have 1 modem 1 switch 1 501 and a few wyse thin clients


the pix has a VPN tunnel to my main network! and my usered use terminal services to connect to the RDP session of the servers!


these 2 outside connection conncern me because i and looking at this and understanding that outside 192.168.1.1 0002.cf0f.7109 and outside 10.228.192.110 0002.cf0f.710e ate connected to my pix 501! *am i correct?*


any ideas?

dhananjoy chowdhury Mon, 08/04/2008 - 10:29
User Badges:
  • Silver, 250 points or more

From the MAC address it seems it is a Modem or similar device.


MAC Address

Prefix Vendor

0002CF ZyGate Communications

Farrukh Haroon Mon, 08/04/2008 - 10:31
User Badges:
  • Red, 2250 points or more

If you observe closely you will find that all three MACs belong to "ZyGate Communications" which seems to be a Wi-FI equipment manufacturer, are you using wireless?


Also two of the MACs are same (so 192.168.1.1 also seems to be your ISPs address)


outside 192.168.1.1 0002.cf0f.7109

outside 10.228.192.110 0002.cf0f.710e

outside 67.79.67.245 0002.cf0f.7109


http://www.coffer.com/mac_find/?string=0002.cf


This kind of stuff happens frequently due to ISP misconfigurations/wireless bridging etc.

I would not worry too much about it, just secure the access-list on the outside interface and make sure management to your firewall is properly logged/monitored/secured.


Regards


Farrukh

JORGE RODRIGUEZ Mon, 08/04/2008 - 10:33
User Badges:
  • Green, 3000 points or more

There must be something other than 67.79.67.245 router connected to that switch,

MAC addresses 0002.cf0f.710e is manufactured by ZyGate Communications, Inc. Do you have any equipment connected to the external switch with this brand? perhaps the outside switch itself what type of switch is it? how about the modem? can you connect to that switch and do to see whatelse connects there?


mac address lookup

http://aruljohn.com/mac.pl



Actions

This Discussion