Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
1
Replies

ARP Spoofing

Chad Spears
Level 1
Level 1

‎11-28-2009 08:20 PM - edited ‎03-09-2019 10:44 PM

Hello All-

     I am including the output from our companies ASA 5520.  I am wondering if this strange output could be due to ARP Spoofing, and if so what should be my next step?

WRMC-ASA# show arp
        outside 24.XXX.XX.XX 0002.fc67.8166 64 - (This entry appears to be fine)
        outside 24.XXX.XX.XX 0002.fc67.8166 777 - (This entry appears to be fine)
        outside 172.16.15.1 0002.fc67.8166 1553 - (**This is the entry that I am concerned about)
        inside 172.16.15.1 0011.bcc7.9440 1636 - (This entry appears to be correct)
        dmz-1 192.168.101.11 000e.0c6e.a0f4 219 - (This entry appears to be correct)

Thanks All.

Labels:
0 Helpful
1 Reply 1

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-30-2009 03:34 PM

It could be due to proxy-arping, or Gratuitous arping on the outside.

I don't think the ASA is arping for that ip address on the outside.

So it is probably a grat arp from someone on the outside. Maybe a bad guy grat arping.

Or even a packet that was misouted/mis-switched to the outside.

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents