cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3469
Views
0
Helpful
1
Replies

ARP table clash with checkpoint and ASA firewal issue

cevallosw
Level 1
Level 1

We are migrating DMZ segments from a checkpoint to a ASA 5585 firewall that we had connected to the same segments as the Checkpoint except on different IP addresses then the checkpoint interfaces. The Checkpoint interfaces are the default gateway for the servers. When I implemented the NATs entries below we experienced an arp table clash with the checkpoint and ASA firewall on the local segments that caused a application outage. What was determined was that the checkpoint firewall was showing that all the IP addresses in particular on vlan130 segment was associating the MAC address of the ASA interface instead of the real sever MAC address. I need assistance understanding the reason why the Checkpoint was pointing the ARP entries for many different address on VLAN130 to the ASA firewall MAC?

nat (any,internet-outside) source static any any destination static isxh2007_Xlate_167.9.6.21 isxh2007_10.121.201.86 unidirectional description To match chkpt NAT rule #5

nat (VLAN130,internet-outside) source static ISX_EDI_Hosts isxh2008_Xlat_167.9.6.22 unidirectional

nat (any,internet-outside) source static Private-Addresses ISX_OUTBOUND_NAT_167.9.6.1 destination static external_167.9.x external_167.9.x unidirectional

nat (any,any) source static Mars-Internal-All Mars-Internal-All destination static Private-Addresses Private-Addresses

nat (internet-dmz,internet-outside) source static acs-vmww2419.mars-ad.net acs-vmww2419_xlate_167.9.6.23

nat (internet-dmz,internet-outside) source static acs_vmww2420 acs_vmww2420_xlate_167.9.6.24

nat (internet-dmz,internet-outside) source static pass_reset_internal_10.121.201.50 pass_reset_external_167.9.6.25

nat (internet-dmz,internet-outside) source static HE-Portal-poland_10.121.120.10 ext_HE-Portal-poland_167.9.6.26

nat (any,internet-outside) source dynamic any ISX_OUTBOUND_NAT_167.9.6.1

isxasa04/wwy-legacy# sho interface

Interface TenGigabitEthernet0/8.129 "core-inside", is down, line protocol is down

MAC address 442b.0330.aba2, MTU 1500

IP address 10.121.129.X, subnet mask 255.255.255.0

Traffic Statistics for "core-inside":

241633 packets input, 12094352 bytes

44788 packets output, 3032584 bytes

109732 packets dropped

Interface TenGigabitEthernet0/9.130 "VLAN130", is down, line protocol is down

MAC address 442b.0330.aba3, MTU 1500

IP address 10.121.130.X, subnet mask 255.255.255.0

Traffic Statistics for "VLAN130":

1264203 packets input, 136452168 bytes

326080 packets output, 69216516 bytes

794035 packets dropped

Interface TenGigabitEthernet0/9.136 "VLAN136", is down, line protocol is down

MAC address 442b.0330.aba3, MTU 1500

IP address 10.121.136.X, subnet mask 255.255.255.0

Traffic Statistics for "VLAN136":

374547 packets input, 23696109 bytes

51186 packets output, 3324895 bytes

173500 packets dropped

Interface GigabitEthernet0/1 "internet-outside", is down, line protocol is down

MAC address 442b.0330.ab9b, MTU 1500

IP address 167.9.6.X, subnet mask 255.255.255.0

Traffic Statistics for "internet-outside":

352158 packets input, 17245425 bytes

76888 packets output, 3872904 bytes

12255 packets dropped

Interface GigabitEthernet0/2 "internet-dmz", is down, line protocol is down

MAC address 442b.0330.ab9c, MTU 1500

IP address 10.121.201.X, subnet mask 255.255.255.0

Traffic Statistics for "internet-dmz":

237795 packets input, 12460108 bytes

40787 packets output, 2775684 bytes

27378 packets dropped

Interface GigabitEthernet0/4 "VLAN140", is down, line protocol is down

MAC address 442b.0330.ab9e, MTU 1500

IP address 10.121.140.X, subnet mask 255.255.255.0

Traffic Statistics for "VLAN140":

386931 packets input, 18807725 bytes

48936 packets output, 3319712 bytes

114417 packets dropped

  • We crosschecked MAC addresses and this is what we found:

Checkpoint ARP table:

10.121.130.101 44:2b:3:30:ab:a3 3285

ASA ARP table:

isxasa04/wwy-legacy# sh arp | i 10.121.130.101
VLAN130 10.121.130.101 001a.4b06.dd45 10525

Server real address provided by processing:

0x001A4B06DD45

  • When we saw that the Checkpoints had a different/wrong entry we shut down all the physical ports on the new ASAs (except for failover and management);
  • Kevin cleared the ARP table on the Checkpoints and problem was solved;
  • Later I saw this:

isxasa04# sh int | i MAC

MAC address 442b.0330.ab9a, MTU not set

MAC address 442b.0330.ab9b, MTU not set

MAC address 442b.0330.ab9c, MTU not set

MAC address 442b.0330.ab9d, MTU 1500

MAC address 442b.0330.ab9e, MTU not set

MAC address 442b.0330.ab9f, MTU not set

MAC address 442b.0330.aba0, MTU not set

MAC address 442b.0330.aba1, MTU not set

MAC address 442b.0330.ab98, MTU not set

MAC address 442b.0330.ab99, MTU not set

MAC address 442b.0330.aba2, MTU not set

MAC address 442b.0330.aba3, MTU not set

1 Reply 1

Jeff Van Houten
Level 5
Level 5

The Asa is proxy Arping those macs. Turn off proxy arp and put in static arp entries until you completely shut down the checkpoint.

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: