ARP Spoofing

Unanswered Question
Nov 28th, 2009
User Badges:

Hello All-


     I am including the output from our companies ASA 5520.  I am wondering if this strange output could be due to ARP Spoofing, and if so what should be my next step?


WRMC-ASA# show arp
        outside 24.XXX.XX.XX 0002.fc67.8166 64 - (This entry appears to be fine)
        outside 24.XXX.XX.XX 0002.fc67.8166 777 - (This entry appears to be fine)
        outside 172.16.15.1 0002.fc67.8166 1553 - (**This is the entry that I am concerned about)
        inside 172.16.15.1 0011.bcc7.9440 1636 - (This entry appears to be correct)
        dmz-1 192.168.101.11 000e.0c6e.a0f4 219 - (This entry appears to be correct)


Thanks All.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 11/30/2009 - 15:34
User Badges:
  • Cisco Employee,

It could be due to proxy-arping, or Gratuitous arping on the outside.

I don't think the ASA is arping for that ip address on the outside.

So it is probably a grat arp from someone on the outside. Maybe a bad guy grat arping.

Or even a packet that was misouted/mis-switched to the outside.


I hope it helps.


PK

Actions

This Discussion