Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to disable ARP security on ASA

Unanswered Question
Jul 12th, 2009
User Badges:

We have an ASA and need to find a way to disable ARP security on the inside interface. We are going to put a device in front of it that is a sort of nearly-transparent proxy, but it unfortunately rewrites packets that travel through it with its own MAC address. The ASA seems to not like this very much at all.

Is there a way to disable that function? I have no idea what the command would be. The only thing I found related to this was ARP inspection, but that didn't seem to have anything to do with the dynamic ARP cache. It seemed to only be relevant when you have static ARP entries.

Regardless, it doesn't look like we have that turned on, anyway.

Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jneiberger Mon, 07/13/2009 - 06:33
User Badges:

I'm not sure how that applies to what I'm talking about. Proxy ARP is when the ASA responds to an ARP request with its own MAC address even when it doesn't own it. That shouldn't be happening in our configuration anyway.

The problem appears to be that the ASA is populating its ARP cache with the real MAC addresses of these devices. Then this other box (a sort-of brouter) passes traffic through it with the source IPs of our other network devices but with its own MAC address.

It seems like the ASA thinks this is an ARP spoofing attack and is stopping the traffic.

We're going to do some more testing this morning, but I still can't figure out how to disable that behavior.

jneiberger Mon, 07/13/2009 - 06:45
User Badges:

The more I look into this, the more I think we don't even have that feature enabled. But it's the only thing that makes sense. If that's not the problem, I have no idea what is.

I'm really starting to think this has nothing to do with any sort of ARP spoofing protection.

Collin Clark Mon, 07/13/2009 - 06:47
User Badges:
  • Purple, 4500 points or more

What about creating a static ARP entry in the ASA. Will that work for you?

jneiberger Mon, 07/13/2009 - 06:55
User Badges:

No, that wouldn't work. I'd have to create a static ARP entry for every device requiring internet access.

I'm beginning to think this isn't the problem, anyway. It doesn't look to me like we have any sort of ARP spoofing protection turned on.

Amadou TOURE Mon, 07/13/2009 - 08:18
User Badges:


what is the error message on the ASA ?

Is the MAC address the only rewrited field in the packet ?

Actually the ASA should be able to deal with the "one MAC-multiple IP" scheme.



This Discussion