Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to disable ARP security on ASA

We have an ASA and need to find a way to disable ARP security on the inside interface. We are going to put a device in front of it that is a sort of nearly-transparent proxy, but it unfortunately rewrites packets that travel through it with its own MAC address. The ASA seems to not like this very much at all.

Is there a way to disable that function? I have no idea what the command would be. The only thing I found related to this was ARP inspection, but that didn't seem to have anything to do with the dynamic ARP cache. It seemed to only be relevant when you have static ARP entries.

Regardless, it doesn't look like we have that turned on, anyway.

Any thoughts?

6 REPLIES

Re: How to disable ARP security on ASA

New Member

Re: How to disable ARP security on ASA

I'm not sure how that applies to what I'm talking about. Proxy ARP is when the ASA responds to an ARP request with its own MAC address even when it doesn't own it. That shouldn't be happening in our configuration anyway.

The problem appears to be that the ASA is populating its ARP cache with the real MAC addresses of these devices. Then this other box (a sort-of brouter) passes traffic through it with the source IPs of our other network devices but with its own MAC address.

It seems like the ASA thinks this is an ARP spoofing attack and is stopping the traffic.

We're going to do some more testing this morning, but I still can't figure out how to disable that behavior.

New Member

Re: How to disable ARP security on ASA

The more I look into this, the more I think we don't even have that feature enabled. But it's the only thing that makes sense. If that's not the problem, I have no idea what is.

I'm really starting to think this has nothing to do with any sort of ARP spoofing protection.

Re: How to disable ARP security on ASA

What about creating a static ARP entry in the ASA. Will that work for you?

New Member

Re: How to disable ARP security on ASA

No, that wouldn't work. I'd have to create a static ARP entry for every device requiring internet access.

I'm beginning to think this isn't the problem, anyway. It doesn't look to me like we have any sort of ARP spoofing protection turned on.

New Member

Re: How to disable ARP security on ASA

hello,

what is the error message on the ASA ?

Is the MAC address the only rewrited field in the packet ?

Actually the ASA should be able to deal with the "one MAC-multiple IP" scheme.

Thanks

1556
Views
0
Helpful
6
Replies
CreatePlease to create content