cisco asa arp poison

Answered Question
Jul 12th, 2010

Hello,

I use a cisco ASA firewall in a L3 configuration.

Result of the command: "show running-config sysopt"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

The problem is that the ASA is answering to all arp requests on the inside lan!

Is this a default setting for the ASA to answer all arp requests?

Do i have to disable this and how?

Thak you,

Laszlo

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

If you are using the inside interface IP for overloading, then it should not be a problem.

global (inside) 1 interface

If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like

global (inside) 1 10.1.1.100

and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:

arp inside 10.1.1.100 alias

This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.

Hope this helps.

Regards,

NT

Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Hope this helps.

Regards,

NT

Correct Answer by Jennifer Halim about 6 years 4 months ago

You are right. Proxy arp is enabled by default.

Here is how to disable proxy arp for the inside interface:

sysopt noproxyarp inside

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Mon, 07/12/2010 - 06:38

Hello,

To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Hope this helps.

Regards,

NT

laposilaszlo Mon, 07/12/2010 - 07:14

I only overload the inside lan.

If i disable proxy arp is this goin to work.

Thak you,

laszlo

Correct Answer
Nagaraja Thanthry Mon, 07/12/2010 - 07:54

Hello,

If you are using the inside interface IP for overloading, then it should not be a problem.

global (inside) 1 interface

If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like

global (inside) 1 10.1.1.100

and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:

arp inside 10.1.1.100 alias

This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.

Hope this helps.

Regards,

NT

Actions

This Discussion