08-04-2008 07:20 AM - edited 03-11-2019 06:25 AM
when i do a show arp on my pix 501 i get this back:
AB01-BM-PIX(config)# show arp
outside 192.168.1.1 0002.cf0f.7109
outside 10.228.192.110 0002.cf0f.710e
outside 67.79.67.245 0002.cf0f.7109
inside 10.13.2.106 0080.6469.418c
inside 10.13.2.103 0080.6421.29f9
inside 10.13.2.105 0080.6469.4061
inside 10.13.2.60 001e.0b17.8990
inside 10.13.2.102 0080.6421.29fa
inside 10.13.2.63 0001.e679.b0c1
inside 10.13.2.101 0080.641c.32d5
inside 10.13.2.100 0080.6467.9dbb
inside 10.13.2.104 0080.641e.100b
inside 10.13.2.35 0008.8320.5840
I should only see:
outside 67.79.67.245
witch is my default gateway (route outside 0.0.0.0 0.0.0.0 67.79.67.245 1
)
so why i am seeing these others and how do i take them out!
any ideas?
08-04-2008 08:40 AM
use the command
"clear arp"
08-04-2008 08:58 AM
will using this cmd line disconnect my users currently connected?
08-04-2008 09:05 AM
No it should not 'disconnect' them, but it might cause a slight delay (to re-learn the ARPs)
Regards
Farrukh
08-04-2008 08:57 AM
It is normal to find the ARP entries of LAN hosts in the arp table of the ASA/PIX/FWSM.
Have a look at this:
http://wiki.wireshark.org/Gratuitous_ARP
"Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces."
It is also populated when clients connect through the firewall to other zones. And as others pointed out, you can do 'clear arp' if you wish.
Regards
Farrukh
08-04-2008 09:58 AM
ok i cleared the arp and the ips were gone! i checked show arp again 10 min later and those ip's are back!!!!!
any ideas?
08-04-2008 10:15 AM
Hi,
Is the outside interface connected to a Switch with default VLAN or an unmanaged switch ?
And other systems/devices are also connected on this switch?
08-04-2008 10:20 AM
at this location there should BE NOTHING else plugged in the switch! We have 1 modem 1 switch 1 501 and a few wyse thin clients
the pix has a VPN tunnel to my main network! and my usered use terminal services to connect to the RDP session of the servers!
these 2 outside connection conncern me because i and looking at this and understanding that outside 192.168.1.1 0002.cf0f.7109 and outside 10.228.192.110 0002.cf0f.710e ate connected to my pix 501! *am i correct?*
any ideas?
08-04-2008 10:29 AM
From the MAC address it seems it is a Modem or similar device.
MAC Address
Prefix Vendor
0002CF ZyGate Communications
08-04-2008 10:31 AM
If you observe closely you will find that all three MACs belong to "ZyGate Communications" which seems to be a Wi-FI equipment manufacturer, are you using wireless?
Also two of the MACs are same (so 192.168.1.1 also seems to be your ISPs address)
outside 192.168.1.1 0002.cf0f.7109
outside 10.228.192.110 0002.cf0f.710e
outside 67.79.67.245 0002.cf0f.7109
http://www.coffer.com/mac_find/?string=0002.cf
This kind of stuff happens frequently due to ISP misconfigurations/wireless bridging etc.
I would not worry too much about it, just secure the access-list on the outside interface and make sure management to your firewall is properly logged/monitored/secured.
Regards
Farrukh
08-04-2008 10:33 AM
There must be something other than 67.79.67.245 router connected to that switch,
MAC addresses 0002.cf0f.710e is manufactured by ZyGate Communications, Inc. Do you have any equipment connected to the external switch with this brand? perhaps the outside switch itself what type of switch is it? how about the modem? can you connect to that switch and do
mac address lookup
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: