ARP Spoofing

Unanswered Question
Nov 28th, 2009
User Badges:

Hello All-

     I am including the output from our companies ASA 5520.  I am wondering if this strange output could be due to ARP Spoofing, and if so what should be my next step?

WRMC-ASA# show arp
        outside 24.XXX.XX.XX 0002.fc67.8166 64 - (This entry appears to be fine)
        outside 24.XXX.XX.XX 0002.fc67.8166 777 - (This entry appears to be fine)
        outside 0002.fc67.8166 1553 - (**This is the entry that I am concerned about)
        inside 0011.bcc7.9440 1636 - (This entry appears to be correct)
        dmz-1 000e.0c6e.a0f4 219 - (This entry appears to be correct)

Thanks All.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Mon, 11/30/2009 - 15:34
User Badges:
  • Cisco Employee,

It could be due to proxy-arping, or Gratuitous arping on the outside.

I don't think the ASA is arping for that ip address on the outside.

So it is probably a grat arp from someone on the outside. Maybe a bad guy grat arping.

Or even a packet that was misouted/mis-switched to the outside.

I hope it helps.



This Discussion