https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847799#M459655 <HTML><HEAD></HEAD><BODY><P>Besides defined static ARPs, the ASA will also add arp entries for xlates (NATs).</P></BODY></HTML> Thu, 09 Feb 2012 23:48:54 GMT Marvin Rhoads 2012-02-09T23:48:54Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847797#M459653 <P>I need some advice on this topic.&nbsp; I am seeing strange entries in my ARP table on my ASA 5510.&nbsp; We do not use any static ARP on the firewall at all.&nbsp; There are several dynamic arp entries being created that are not local to my network, yet they show up on the Management(Inside) interface.&nbsp; I am pretty new to this so I may just not fully understand how/why a dynamic ARP entry is create on the inside interface of my firewall.&nbsp; I see all of my local IP's in this table, but am concerned with the ones that are not local.</P> Mon, 11 Mar 2019 22:27:18 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847797#M459653 sabinj 2019-03-11T22:27:18Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847798#M459654 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Can you confirm if you do not have any static arp configured on your asa:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; -Show run arp</P><P></P><P>Also you said its on your managment interface, where is this port on the ASA going to ( connected to)?</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Thu, 09 Feb 2012 22:26:28 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847798#M459654 Julio Carvajal 2012-02-09T22:26:28Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847799#M459655 <HTML><HEAD></HEAD><BODY><P>Besides defined static ARPs, the ASA will also add arp entries for xlates (NATs).</P></BODY></HTML> Thu, 09 Feb 2012 23:48:54 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847799#M459655 Marvin Rhoads 2012-02-09T23:48:54Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847800#M459656 <HTML><HEAD></HEAD><BODY><P>Yes I can confirm that there are no static arps configured.&nbsp; </P><P>sho run arp: no results returned&nbsp; </P><P>We don't NAT to any of the addresses that are showing up in the ARP table, they are addresses that are completely foreignto the networks that we access on our known networks.&nbsp; </P></BODY></HTML> Fri, 10 Feb 2012 01:22:14 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847800#M459656 sabinj 2012-02-10T01:22:14Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847801#M459657 <HTML><HEAD></HEAD><BODY><P>Whats more troubling is the fact they are showing up on my inside interface.&nbsp; </P></BODY></HTML> Fri, 10 Feb 2012 01:30:22 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847801#M459657 sabinj 2012-02-10T01:30:22Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847802#M459658 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>So they are showing up on the inside and also managment interface? Right?</P></BODY></HTML> Fri, 10 Feb 2012 01:37:01 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847802#M459658 Julio Carvajal 2012-02-10T01:37:01Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847803#M459659 <HTML><HEAD></HEAD><BODY><P>Hello, In our setup the management interface is also the inside interface. We do not dedicate an interface to management only. </P></BODY></HTML> Fri, 10 Feb 2012 01:50:19 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847803#M459659 sabinj 2012-02-10T01:50:19Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847804#M459660 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Hmmm, is the ASA the only path to get in or get out of your network?</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Fri, 10 Feb 2012 02:03:00 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847804#M459660 Julio Carvajal 2012-02-10T02:03:00Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847805#M459661 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Yes that is correct.</P><P></P><P>Thanks,</P><P></P><P>Sabin</P></BODY></HTML> Fri, 10 Feb 2012 02:10:24 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847805#M459661 sabinj 2012-02-10T02:10:24Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847806#M459662 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>If I were in your place I would start inmediatly to investigate what is going on in here because looks like there are devices on the internal network that do not belong to your company, if you have their ip addresses I would definitly shun them</P><P></P><P>Regards,</P><P></P><P>Let me know what you find out!</P></BODY></HTML> Fri, 10 Feb 2012 17:37:03 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847806#M459662 Julio Carvajal 2012-02-10T17:37:03Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847807#M459663 <HTML><HEAD></HEAD><BODY><P>Are you doing anything that might use Reverse Route Injection?</P><P></P><P>Can you show us the routes configured on the ASA?</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 10 Feb 2012 17:46:33 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847807#M459663 Richard Burts 2012-02-10T17:46:33Z https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847808#M459664 <HTML><HEAD></HEAD><BODY><P>Hello Richard,</P><P></P><P>We had reverse route injection selected on our L2L cryptomap rule.&nbsp; It really was not needed so I disabled it.&nbsp; However I still am getting some of the addresses popping up.&nbsp; I did a lookup on them and most are coming back as the following..</P><P></P><P>Reverse lookup for addresses below: .deploy.akamaitechnologies.com</P><P>23.1.217.83&nbsp; whois = Domain Name: AKAMAITECHNOLOGIES.COM</P><P>65.197.244.80&nbsp; whois = Domain Name: AKAMAITECHNOLOGIES.COM</P><P>65.197.244.82&nbsp; whois = Domain Name: AKAMAITECHNOLOGIES.COM</P><P>72.246.225.83&nbsp; whois = AKAMAITECHNOLOGIES.COM</P><P></P><P>Apparently this AKAMAITECHNOLOGIES.COM provide deployment services and bandwidth for companies such as Microsoft and many more.</P><P></P><P>No results</P><P>206.160.105.254&nbsp; whois = Sprint.com</P><P>204.95.60.12&nbsp; whois = Sprint.com</P><P>112.80.48.236 whois = Something in China...Blocked this network at firewall.</P><P></P><P>Reverse lookup for addresses below:&nbsp; dns-redir-lb-02.tampabay.rr.com</P><P>65.32.5.112</P><P>65.32.5.111</P><P></P><P></P><P>A little more background on our setup.&nbsp; We have a very small network with no more than 80 connected devices.&nbsp; All devices have been accounted for.&nbsp; </P><P></P><P>We have a L2L VPN tunnel to our client (did have Reverse route injection enable/now disabled as not needed).&nbsp; Here we use a dynamic policy NAT to NAT our internal hosts to an address space (Provided by ISP) usable in our clients network.&nbsp; The nat is configured so packets destined for client network on VPN tunnel get hit a pool of addresses and the source IP is then translated.</P><P></P><P>We are also using PAT, which is used for packets not destined for the vpn tunnel (like the web).&nbsp; </P><P></P><P>What is most puzzling, is if I turn off the PAT and delete the dynamic policy nat, then recreate a new dynamic nat with any any to the pool of addresses, these strange addresses do not show up in ARP table.</P></BODY></HTML> Fri, 10 Feb 2012 21:48:09 GMT https://community.cisco.com/t5/network-security/strange-entries-in-arp-table/m-p/1847808#M459664 sabinj 2012-02-10T21:48:09Z