I need some advice on this topic. I am seeing strange entries in my ARP table on my ASA 5510. We do not use any static ARP on the firewall at all. There are several dynamic arp entries being created that are not local to my network, yet they show up on the Management(Inside) interface. I am pretty new to this so I may just not fully understand how/why a dynamic ARP entry is create on the inside interface of my firewall. I see all of my local IP's in this table, but am concerned with the ones that are not local.
Solved! Go to Solution.
Can you confirm if you do not have any static arp configured on your asa:
-Show run arp
Also you said its on your managment interface, where is this port on the ASA going to ( connected to)?
Yes I can confirm that there are no static arps configured.
sho run arp: no results returned
We don't NAT to any of the addresses that are showing up in the ARP table, they are addresses that are completely foreignto the networks that we access on our known networks.
So they are showing up on the inside and also managment interface? Right?
Hmmm, is the ASA the only path to get in or get out of your network?
If I were in your place I would start inmediatly to investigate what is going on in here because looks like there are devices on the internal network that do not belong to your company, if you have their ip addresses I would definitly shun them
Let me know what you find out!
We had reverse route injection selected on our L2L cryptomap rule. It really was not needed so I disabled it. However I still am getting some of the addresses popping up. I did a lookup on them and most are coming back as the following..
Reverse lookup for addresses below: .deploy.akamaitechnologies.com
22.214.171.124 whois = Domain Name: AKAMAITECHNOLOGIES.COM
126.96.36.199 whois = Domain Name: AKAMAITECHNOLOGIES.COM
188.8.131.52 whois = Domain Name: AKAMAITECHNOLOGIES.COM
184.108.40.206 whois = AKAMAITECHNOLOGIES.COM
Apparently this AKAMAITECHNOLOGIES.COM provide deployment services and bandwidth for companies such as Microsoft and many more.
220.127.116.11 whois = Sprint.com
18.104.22.168 whois = Sprint.com
22.214.171.124 whois = Something in China...Blocked this network at firewall.
Reverse lookup for addresses below: dns-redir-lb-02.tampabay.rr.com
A little more background on our setup. We have a very small network with no more than 80 connected devices. All devices have been accounted for.
We have a L2L VPN tunnel to our client (did have Reverse route injection enable/now disabled as not needed). Here we use a dynamic policy NAT to NAT our internal hosts to an address space (Provided by ISP) usable in our clients network. The nat is configured so packets destined for client network on VPN tunnel get hit a pool of addresses and the source IP is then translated.
We are also using PAT, which is used for packets not destined for the vpn tunnel (like the web).
What is most puzzling, is if I turn off the PAT and delete the dynamic policy nat, then recreate a new dynamic nat with any any to the pool of addresses, these strange addresses do not show up in ARP table.