I have discovered that the Cisco ASA5505 we are using for a firewall is granting a dynamic arp to an SMC router on the outside interface which has access to the internet. The IP address is not that of the single IP granted for the outside interface to the internet, but it is in the range under the net mask (8 addresses).
I tried using a non-MAC exempt rule in the AAA section to block this, but this doesn't seem to be a good solution.
Is the router coming in from the outside? Has the outside interface been breached? Apparently the ASA5505 doesn't think the router is violating an access rules.
The dynamic ARP appeared over the week end, when the normal equipment was shut down, but the firewall left running. Too bad the ARP table doesn't time stamp when this occurred.
The unknown router has the same MAC address that was found during the middle of last week. This appearance just started at the middle of last week.
I do not know what router this is, so I now have concern.
What steps should I take to track this down? (I am not an experienced seasoned security IP person)
I did some reading on my own regarding "Gratuitous ARP" and understand that now, but am having problems discovering how the ASA5505 learned the ARP, since apparently the "show mac" command is not available under the ASA 5505 software (I am using the CLI window)
The available show commands are "show arp" and "show IP" which is close but doesn't give me what I need.
It could be that the connection on the other end of my dedicated IP (1 address) is changing or stopping and starting and then sending the Grat arp, as this seems most reasonable, but I would like to confirm that this is so.
It also doesn't help that last week Columbia University in New York scanned our block of addresses and attempted to sit upon both the http and telnet ports. Their laboratory is set up to scan banks of IP numbers and find misconfigured routers or security appliances.
The "sh mac address" is available on the switches. So if you have a switch on the outside of the ASA that cannects that ASA outside with the upstream router you can check the mac address table of the switchto see where it learnt the bogus mac.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...