How to disable ARP security on ASA

Unanswered Question
Jul 12th, 2009

We have an ASA and need to find a way to disable ARP security on the inside interface. We are going to put a device in front of it that is a sort of nearly-transparent proxy, but it unfortunately rewrites packets that travel through it with its own MAC address. The ASA seems to not like this very much at all.

Is there a way to disable that function? I have no idea what the command would be. The only thing I found related to this was ARP inspection, but that didn't seem to have anything to do with the dynamic ARP cache. It seemed to only be relevant when you have static ARP entries.

Regardless, it doesn't look like we have that turned on, anyway.

Any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
neibergerj Mon, 07/13/2009 - 06:33

I'm not sure how that applies to what I'm talking about. Proxy ARP is when the ASA responds to an ARP request with its own MAC address even when it doesn't own it. That shouldn't be happening in our configuration anyway.

The problem appears to be that the ASA is populating its ARP cache with the real MAC addresses of these devices. Then this other box (a sort-of brouter) passes traffic through it with the source IPs of our other network devices but with its own MAC address.

It seems like the ASA thinks this is an ARP spoofing attack and is stopping the traffic.

We're going to do some more testing this morning, but I still can't figure out how to disable that behavior.

neibergerj Mon, 07/13/2009 - 06:45

The more I look into this, the more I think we don't even have that feature enabled. But it's the only thing that makes sense. If that's not the problem, I have no idea what is.

I'm really starting to think this has nothing to do with any sort of ARP spoofing protection.

Collin Clark Mon, 07/13/2009 - 06:47

What about creating a static ARP entry in the ASA. Will that work for you?

neibergerj Mon, 07/13/2009 - 06:55

No, that wouldn't work. I'd have to create a static ARP entry for every device requiring internet access.

I'm beginning to think this isn't the problem, anyway. It doesn't look to me like we have any sort of ARP spoofing protection turned on.

Amadou TOURE Mon, 07/13/2009 - 08:18

hello,

what is the error message on the ASA ?

Is the MAC address the only rewrited field in the packet ?

Actually the ASA should be able to deal with the "one MAC-multiple IP" scheme.

Thanks

Actions

This Discussion