Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
0
Helpful
10
Replies

show arp

Danny Guillory Jr
Level 1
Level 1

‎08-04-2008 07:20 AM - edited ‎03-11-2019 06:25 AM

when i do a show arp on my pix 501 i get this back:

AB01-BM-PIX(config)# show arp

outside 192.168.1.1 0002.cf0f.7109

outside 10.228.192.110 0002.cf0f.710e

outside 67.79.67.245 0002.cf0f.7109

inside 10.13.2.106 0080.6469.418c

inside 10.13.2.103 0080.6421.29f9

inside 10.13.2.105 0080.6469.4061

inside 10.13.2.60 001e.0b17.8990

inside 10.13.2.102 0080.6421.29fa

inside 10.13.2.63 0001.e679.b0c1

inside 10.13.2.101 0080.641c.32d5

inside 10.13.2.100 0080.6467.9dbb

inside 10.13.2.104 0080.641e.100b

inside 10.13.2.35 0008.8320.5840

I should only see:

outside 67.79.67.245

witch is my default gateway (route outside 0.0.0.0 0.0.0.0 67.79.67.245 1

)

so why i am seeing these others and how do i take them out!

any ideas?

Labels:
0 Helpful
10 Replies 10

dhananjoy chowdhury
Level 5
Level 5

‎08-04-2008 08:40 AM

use the command

"clear arp"

0 Helpful

Danny Guillory Jr
Level 1
Level 1
In response to dhananjoy chowdhury

‎08-04-2008 08:58 AM

will using this cmd line disconnect my users currently connected?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Danny Guillory Jr

‎08-04-2008 09:05 AM

No it should not 'disconnect' them, but it might cause a slight delay (to re-learn the ARPs)

Regards

Farrukh

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-04-2008 08:57 AM

It is normal to find the ARP entries of LAN hosts in the arp table of the ASA/PIX/FWSM.

Have a look at this:

http://wiki.wireshark.org/Gratuitous_ARP

"Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces."

It is also populated when clients connect through the firewall to other zones. And as others pointed out, you can do 'clear arp' if you wish.

Regards

Farrukh

0 Helpful

Danny Guillory Jr
Level 1
Level 1
In response to Farrukh Haroon

‎08-04-2008 09:58 AM

ok i cleared the arp and the ips were gone! i checked show arp again 10 min later and those ip's are back!!!!!

any ideas?

0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to Danny Guillory Jr

‎08-04-2008 10:15 AM

Hi,

Is the outside interface connected to a Switch with default VLAN or an unmanaged switch ?

And other systems/devices are also connected on this switch?

0 Helpful

Danny Guillory Jr
Level 1
Level 1
In response to dhananjoy chowdhury

‎08-04-2008 10:20 AM

at this location there should BE NOTHING else plugged in the switch! We have 1 modem 1 switch 1 501 and a few wyse thin clients

the pix has a VPN tunnel to my main network! and my usered use terminal services to connect to the RDP session of the servers!

these 2 outside connection conncern me because i and looking at this and understanding that outside 192.168.1.1 0002.cf0f.7109 and outside 10.228.192.110 0002.cf0f.710e ate connected to my pix 501! *am i correct?*

any ideas?

0 Helpful

dhananjoy chowdhury
Level 5
Level 5
In response to Danny Guillory Jr

‎08-04-2008 10:29 AM

From the MAC address it seems it is a Modem or similar device.

MAC Address

Prefix Vendor

0002CF ZyGate Communications

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to Danny Guillory Jr

‎08-04-2008 10:31 AM

If you observe closely you will find that all three MACs belong to "ZyGate Communications" which seems to be a Wi-FI equipment manufacturer, are you using wireless?

Also two of the MACs are same (so 192.168.1.1 also seems to be your ISPs address)

outside 192.168.1.1 0002.cf0f.7109

outside 10.228.192.110 0002.cf0f.710e

outside 67.79.67.245 0002.cf0f.7109

http://www.coffer.com/mac_find/?string=0002.cf

This kind of stuff happens frequently due to ISP misconfigurations/wireless bridging etc.

I would not worry too much about it, just secure the access-list on the outside interface and make sure management to your firewall is properly logged/monitored/secured.

Regards

Farrukh

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to Danny Guillory Jr

‎08-04-2008 10:33 AM

There must be something other than 67.79.67.245 router connected to that switch,

MAC addresses 0002.cf0f.710e is manufactured by ZyGate Communications, Inc. Do you have any equipment connected to the external switch with this brand? perhaps the outside switch itself what type of switch is it? how about the modem? can you connect to that switch and do to see whatelse connects there?

mac address lookup

http://aruljohn.com/mac.pl

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card