Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

cisco asa arp poison

Hello,

I use a cisco ASA firewall in a L3 configuration.

Result of the command: "show running-config sysopt"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

The problem is that the ASA is answering to all arp requests on the inside lan!

Is this a default setting for the ASA to answer all arp requests?

Do i have to disable this and how?

Thak you,

Laszlo

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: cisco asa arp poison

You are right. Proxy arp is enabled by default.

Here is how to disable proxy arp for the inside interface:

sysopt noproxyarp inside

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

Hope that helps.

Cisco Employee

Re: cisco asa arp poison

Hello,

To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Hope this helps.

Regards,

NT

Cisco Employee

Re: cisco asa arp poison

Hello,

If you are using the inside interface IP for overloading, then it should not be a problem.

global (inside) 1 interface

If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like

global (inside) 1 10.1.1.100

and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:

arp inside 10.1.1.100 alias

This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.

Hope this helps.

Regards,

NT

4 REPLIES
Cisco Employee

Re: cisco asa arp poison

You are right. Proxy arp is enabled by default.

Here is how to disable proxy arp for the inside interface:

sysopt noproxyarp inside

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

Hope that helps.

Cisco Employee

Re: cisco asa arp poison

Hello,

To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Hope this helps.

Regards,

NT

New Member

Re: cisco asa arp poison

I only overload the inside lan.

If i disable proxy arp is this goin to work.

Thak you,

laszlo

Cisco Employee

Re: cisco asa arp poison

Hello,

If you are using the inside interface IP for overloading, then it should not be a problem.

global (inside) 1 interface

If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like

global (inside) 1 10.1.1.100

and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:

arp inside 10.1.1.100 alias

This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.

Hope this helps.

Regards,

NT

11129
Views
0
Helpful
4
Replies
CreatePlease to create content