Unknown router granted dynamic ARP, now what?

Unanswered Question
Apr 5th, 2010
User Badges:

I have discovered that the Cisco ASA5505 we are using for a firewall is granting a dynamic arp to an SMC router on the outside interface which has access to the internet. The IP address is not that of the single IP granted for the outside interface to the internet, but it is in the range under the net mask (8 addresses).


I tried using a non-MAC exempt rule in the AAA section to block this, but this doesn't seem to be a good solution.


Is the router coming in from the outside?  Has the outside interface been breached?  Apparently the ASA5505 doesn't think the router is violating an access rules.


The dynamic ARP appeared over the week end, when the normal equipment was shut down, but the firewall left running.  Too bad the ARP table doesn't time stamp when this occurred.


The unknown router has the same MAC address that was found during the middle of last week.  This appearance just started at the middle of last week.


I do not know what router this is, so I now have concern.


What steps should I take to track this down?  (I am not an experienced seasoned security IP person)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 04/05/2010 - 12:10
User Badges:
  • Cisco Employee,

Networking devices will learn arp when a Grat ARP is sent. The arp entry will be added to the routing table for locally connected nets.

If you saw an incorrect arp you should check the directly connected devices.

Any time you un shut and interface with an ip address on a router or an ASA it will Grat arp.


If there is a switch that connects the outside of the asa you can do "sh mac address | i " to see if the switch learnt that mac on a port.


I hope it helps.


PK

randallrathbun Mon, 04/05/2010 - 14:15
User Badges:

Dear PK:


I did some reading on my own regarding "Gratuitous ARP" and understand that now, but am having problems discovering how the ASA5505 learned the ARP, since apparently the "show mac" command is not available under the ASA 5505 software (I am using the CLI window)


The available show commands are "show arp" and "show IP" which is close but doesn't give me what I need.


It could be that the connection on the other end of my dedicated IP (1 address) is changing or stopping and starting and then sending the Grat arp, as this seems most reasonable, but I would like to confirm that this is so.


It also doesn't help that last week Columbia University in New York scanned our block of addresses and attempted to sit upon both the http and telnet ports.  Their laboratory is set up to scan banks of IP numbers and find misconfigured routers or security appliances.


Randall

Panos Kampanakis Tue, 04/06/2010 - 05:58
User Badges:
  • Cisco Employee,

The "sh mac address" is available on the switches. So if you have a switch on the outside of the ASA that cannects that ASA
outside with the upstream router you can check the mac address table of the switchto see where it learnt the bogus mac.


I hope it helps.


PK

Actions

This Discussion