×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Strange Entries in ARP Table

Answered Question
Feb 9th, 2012
User Badges:

I need some advice on this topic.  I am seeing strange entries in my ARP table on my ASA 5510.  We do not use any static ARP on the firewall at all.  There are several dynamic arp entries being created that are not local to my network, yet they show up on the Management(Inside) interface.  I am pretty new to this so I may just not fully understand how/why a dynamic ARP entry is create on the inside interface of my firewall.  I see all of my local IP's in this table, but am concerned with the ones that are not local.

Correct Answer by Richard Burts about 5 years 6 months ago

Are you doing anything that might use Reverse Route Injection?


Can you show us the routes configured on the ASA?


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Julio Carvajal Thu, 02/09/2012 - 14:26
User Badges:
  • Purple, 4500 points or more

Hello,


Can you confirm if you do not have any static arp configured on your asa:

     -Show run arp


Also you said its on your managment interface, where is this port on the ASA going to ( connected to)?


Regards,


Julio

sabinj Thu, 02/09/2012 - 17:22
User Badges:

Yes I can confirm that there are no static arps configured. 

sho run arp: no results returned 

We don't NAT to any of the addresses that are showing up in the ARP table, they are addresses that are completely foreignto the networks that we access on our known networks. 

sabinj Thu, 02/09/2012 - 17:30
User Badges:

Whats more troubling is the fact they are showing up on my inside interface. 

Julio Carvajal Thu, 02/09/2012 - 17:37
User Badges:
  • Purple, 4500 points or more

Hello,


So they are showing up on the inside and also managment interface? Right?

sabinj Thu, 02/09/2012 - 17:50
User Badges:

Hello, In our setup the management interface is also the inside interface. We do not dedicate an interface to management only.

Julio Carvajal Thu, 02/09/2012 - 18:03
User Badges:
  • Purple, 4500 points or more

Hello,


Hmmm, is the ASA the only path to get in or get out of your network?


Regards,


Julio

sabinj Thu, 02/09/2012 - 18:10
User Badges:

Hello,


Yes that is correct.


Thanks,


Sabin

Julio Carvajal Fri, 02/10/2012 - 09:37
User Badges:
  • Purple, 4500 points or more

Hello,


If I were in your place I would start inmediatly to investigate what is going on in here because looks like there are devices on the internal network that do not belong to your company, if you have their ip addresses I would definitly shun them


Regards,


Let me know what you find out!

Marvin Rhoads Thu, 02/09/2012 - 15:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Besides defined static ARPs, the ASA will also add arp entries for xlates (NATs).

Correct Answer
Richard Burts Fri, 02/10/2012 - 09:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you doing anything that might use Reverse Route Injection?


Can you show us the routes configured on the ASA?


HTH


Rick

sabinj Fri, 02/10/2012 - 13:48
User Badges:

Hello Richard,


We had reverse route injection selected on our L2L cryptomap rule.  It really was not needed so I disabled it.  However I still am getting some of the addresses popping up.  I did a lookup on them and most are coming back as the following..


Reverse lookup for addresses below: .deploy.akamaitechnologies.com

23.1.217.83  whois = Domain Name: AKAMAITECHNOLOGIES.COM

65.197.244.80  whois = Domain Name: AKAMAITECHNOLOGIES.COM

65.197.244.82  whois = Domain Name: AKAMAITECHNOLOGIES.COM

72.246.225.83  whois = AKAMAITECHNOLOGIES.COM


Apparently this AKAMAITECHNOLOGIES.COM provide deployment services and bandwidth for companies such as Microsoft and many more.


No results

206.160.105.254  whois = Sprint.com

204.95.60.12  whois = Sprint.com

112.80.48.236 whois = Something in China...Blocked this network at firewall.


Reverse lookup for addresses below:  dns-redir-lb-02.tampabay.rr.com

65.32.5.112

65.32.5.111



A little more background on our setup.  We have a very small network with no more than 80 connected devices.  All devices have been accounted for. 


We have a L2L VPN tunnel to our client (did have Reverse route injection enable/now disabled as not needed).  Here we use a dynamic policy NAT to NAT our internal hosts to an address space (Provided by ISP) usable in our clients network.  The nat is configured so packets destined for client network on VPN tunnel get hit a pool of addresses and the source IP is then translated.


We are also using PAT, which is used for packets not destined for the vpn tunnel (like the web). 


What is most puzzling, is if I turn off the PAT and delete the dynamic policy nat, then recreate a new dynamic nat with any any to the pool of addresses, these strange addresses do not show up in ARP table.

Actions

This Discussion