topic Weird ARP issue in Network Security

Weird ARP issue

patoberli — Tue, 12 Mar 2019 03:48:00 GMT

Hello all

I have a very weird ARP issue on my ASA 5585-X SSP10 with software 8.4.6(5).

First the setup:

ASA - VLAN2 - IP 192.168.1.1 Mask 255.255.255.240 (ASA is in routing mode) - MAC 6c20.5658.8764

Second Router (router2) - VLAN2 - IP 192.168.1.14 Mask 255.255.255.240 - MAC 00:19:aa:85:6b:49

Server - VLAN2 - IP 192.168.1.6 Mask 255.255.255.240 - MAC 00:50:56:bd:4e:74

So, we have Vlan 2 with 3 devices in it. The ASA which is a router, an other router for special traffic and a server (which will redirect the traffic to one of the two routers depending on policy).

The server shows this arp table:

arp -a -i eth1

? (192.168.1.14) at 6c:20:56:58:87:64 [ether] on eth1 (Mac address of ASA and not of router2!!!)

? (192.168.1.1) at 6c:20:56:58:87:64 [ether] on eth1 (Mac address of ASA, ok)

The ASA shows this arp table:

show arp | inc GAES
GAESTE_OUT 192.168.1.6 0050.56bd.4e74 36 (correct)
GAESTE_OUT 192.168.1.14 0019.aa85.6b49 156 (correct)

Now the weird stuff.

If I clear the arp table on the server and ping 192.168.1.14, this is what the capture gets:

14:01:47.614577 00:50:56:bd:4e:74 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.14 tell 192.168.1.6, length 28
14:01:47.614998 6c:20:56:58:87:64 (oui Unknown) > 00:50:56:bd:4e:74 (oui Unknown), ethertype ARP (0x0806), length 60: Reply 192.168.1.14 is-at 6c:20:56:58:87:64 (oui Unknown), length 46
14:01:47.615332 00:19:aa:85:6b:49 (oui Unknown) > 00:50:56:bd:4e:74 (oui Unknown), ethertype ARP (0x0806), length 60: Reply 192.168.1.14 is-at 00:19:aa:85:6b:49 (oui Unknown), length 46

As you can see, the router2 AND the ASA reply to this arp request! Why is this ASA sending this wrong reply?

Also a capture on the ASA on ARP shows this:

#capture arp ethernet-type arp interface GAESTE_OUT

#show captur arp det

2 packets captured

1: 14:09:48.597411 0050.56bd.4e74 ffff.ffff.ffff 0x8100 64: 802.1Q vlan#2 P0 arp who-has 192.168.1.14 tell 192.168.1.6
2: 14:09:48.597610 6c20.5658.8764 0050.56bd.4e74 0x8100 46: 802.1Q vlan#2 P0 arp reply 192.168.1.14 is-at 6c:20:56:58:87:64
2 packets shown

#sh ip add | inc 192.168.1.14

#sh int GAESTE_OUT

Interface GigabitEthernet0/2.2 "GAESTE_OUT", is up, line protocol is up

Hardware is bcm56801 rev 01, BW 1000 Mbps, DLY 10 usec

VLAN identifier 2

Description: VLAN to GAESTE_OUT

MAC address 6c20.5658.8764, MTU 1500

IP address 192.168.1.1, subnet mask 255.255.255.240

Traffic Statistics for "GAESTE_OUT":

200186428 packets input, 51055961549 bytes

299581495 packets output, 300211809798 bytes

447891 packets dropped

I am really confused and wondering if I miss something.

Weird ARP issue

Jouni Forss — Thu, 20 Feb 2014 13:35:58 GMT

Hi,

So the ASA is answering for ARP requests that are meant for the Router2 to reply?

Generelly you will avoid this by configuring

sysopt noproxyarp

This will disable the Proxy ARP on the ASA interface. It will still answer to ARP related to the IP address configured on its interface. If you are NATing users to some other IP address other than the interface IP address towards the interface in question then you should not disable Proxy ARP. If you have no such NAT requirements you should be able to safely disable Proxy ARP and avoid ASA answering the ARP request.

I guess the ASA has to have some NAT configuration related to 192.168.1.0/24 that causes it to answer to ARP requests on behalf of some IP address that it doesnt really own.

- Jouni

Weird ARP issue

patoberli — Thu, 20 Feb 2014 13:42:42 GMT

That might be. There is quite some NAT configured for that interface.

nat (GAESTE_OUT,DMZ_PUBLIC) source static range-172.16.116.0_22 range-172.16.116.0_22 destination static range-192.168.52.0_22 range-192.168.52.0_22

nat (GAESTE_OUT,dmz-80) source static range-172.16.116.0_22 range-172.16.116.0_22 destination static range-192.168.80.0_24 range-192.168.80.0_24

nat (GAESTE_OUT,VPN_OUT) source static range-172.16.116.0_22 range-172.16.116.0_22 destination static vpn-lb_1.36 vpn-lb_1.36

nat (GAESTE_OUT,any) source static range-192.168.240.0_24 range-192.168.240.0_24 destination static range-192.168.0.0_16 range-192.168.0.0_16

nat (GAESTE_OUT,any) source static range-192.168.1.0_28 range-192.168.1.0_28

nat (GAESTE_OUT,outside) source dynamic any range-192.168.0.2_32

nat (GAESTE_OUT,DMZ_INS) source dynamic any interface destination static range-192.168.8.0_22 range-192.168.8.0_22

nat (GAESTE_OUT,DMZ_INS) source dynamic any interface destination static range-192.168.120.0_22 range-192.168.120.0_22 nat (GAESTE_OUT,DMZ_PUBLIC) source static range-172.16.116.0_22 range-172.16.116.0_22 destination static range-192.168.52.0_22 range-192.168.52.0_22
nat (GAESTE_OUT,dmz-80) source static range-172.16.116.0_22 range-172.16.116.0_22 destination static range-192.168.80.0_24 range-192.168.80.0_24
nat (GAESTE_OUT,VPN_OUT) source static range-172.16.116.0_22 range-172.16.116.0_22 destination static vpn-lb_1.36 vpn-lb_1.36
nat (GAESTE_OUT,any) source static range-192.168.240.0_24 range-192.168.240.0_24 destination static range-192.168.0.0_16 range-192.168.0.0_16
nat (GAESTE_OUT,any) source static range-192.168.1.0_28 range-192.168.1.0_28
nat (GAESTE_OUT,outside) source dynamic any range-192.168.0.2_32
nat (GAESTE_OUT,DMZ_INS) source dynamic any interface destination static range-192.168.8.0_22 range-192.168.8.0_22
nat (GAESTE_OUT,DMZ_INS) source dynamic any interface destination static range-192.168.120.0_22 range-192.168.120.0_22

I am not so sure now if the disabling of Proxy ARP is a good idea in this case. I'm no NAT specialist though.

Weird ARP issue

patoberli — Thu, 20 Feb 2014 14:30:25 GMT

I've disabled proxy arp now. So far I can't see any negative impact, thanks for the info!

Weird ARP issue

Jouni Forss — Thu, 20 Feb 2014 14:38:03 GMT

Hi,

Seems I actually had a little slip in the logic there.

I mean you will only need the Proxy ARP enabled on the interface if you are doing NAT from networks behind other interfaces towards the interface in question (the one answer ARP requests) and use a NAT IP address that is part of the directly connected network of this interface.

In most typical firewall configurations the only interface that needs to have Proxy ARP enabled in the external interface of your firewall if you have a public subnet connected to the external interface that is big enough to support more than the ASA external interface IP address. Then the ASA needs to use Proxy ARP for you to be able to use the additional public IP address from that subnet as NAT IP address (in other words Proxy ARP is needed for the ASA to reply to the ARP requests from the ISP for the NAT IP addresses you are using)

- Jouni