I have discovered that the Cisco ASA5505 we are using for a firewall is granting a dynamic arp to an SMC router on the outside interface which has access to the internet. The IP address is not that of the single IP granted for the outside interface to the internet, but it is in the range under the net mask (8 addresses).
I tried using a non-MAC exempt rule in the AAA section to block this, but this doesn't seem to be a good solution.
Is the router coming in from the outside? Has the outside interface been breached? Apparently the ASA5505 doesn't think the router is violating an access rules.
The dynamic ARP appeared over the week end, when the normal equipment was shut down, but the firewall left running. Too bad the ARP table doesn't time stamp when this occurred.
The unknown router has the same MAC address that was found during the middle of last week. This appearance just started at the middle of last week.
I do not know what router this is, so I now have concern.
What steps should I take to track this down? (I am not an experienced seasoned security IP person)