https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695996#M529486 <HTML><HEAD></HEAD><BODY><P>Hi Mike </P><P>thanks for the reply</P><P></P><P>These are the states in the configuration..</P><P></P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P></P><P>global (amadeus) 1 interface</P><P></P><P></P><P>The (amadeus) interface being 57.24.130.8 , so no I dont have any statement referecing 57.24.130.1</P><P>but there is pat..</P><P></P><P></P><P>below is a sequece of events of what happens from when I ping 57.24.130.11 from fwl 57.24.130.8</P><P></P><P>ping 57.24.130.11</P><P>Type escape sequence to abort.</P><P>Sending 5, 100-byte ICMP Echos to 57.24.130.11, timeout is 2 seconds:</P><P>!????</P><P></P><P></P><P>sh arp | grep 57.24.130.11</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; amadeus 57.24.130.11 000d.88ee.1262 12</P><P></P><P></P><P>000d.88ee.1262 mac belogs to&nbsp; firewall 57.24.130.1</P><P></P><P></P><P>then I recieve the following mssage Pix 57.24.130.8</P><P></P><P>msg&nbsp;&nbsp; : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus</P><P>type&nbsp;&nbsp; : attack<SPAN id="mce_marker"> </SPAN><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;; color: black; font-size: 8pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-ZA; mso-fareast-language: EN-ZA; mso-bidi-language: AR-SA;">msg&nbsp;&nbsp; : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus<BR />type&nbsp;&nbsp; : attack</SPAN></P><P></P><P></P><P></P><P></P><P>is this nothing to worry about? as this will also happen randomly with out me trying to simulate the situation...?</P></BODY></HTML> Thu, 23 Jun 2011 09:01:12 GMT sneakster1 2011-06-23T09:01:12Z https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695994#M529480 <P>Hi ..</P><P></P><P></P><P>I have a subnet of 57.24.130.0/27</P><P></P><P>i have two routers in that subnet ip'd as followed</P><P></P><P>57.24.130.11 with a mac address of&nbsp; 001d.46c4.0c60</P><P>57.24.130.12 with a mac address of&nbsp; 001c.f6f8.b570</P><P></P><P></P><P>now in this subnet I also two PIX firewalls ver 8.0(4) with IPs</P><P></P><P>57.24.130.1 with mac 000d.88ee.1262</P><P>57.24.130.8 with mac 00e0.b603.d823</P><P></P><P></P><P>Okay I have the firewalls syslog sending its output to a firewall analyzer and every couple months I get a notification of </P><P>ARP poisioing on firewall 57.24.130.8 with the following situation.</P><P></P><P>the two routers IP (57.24.130.11,57.24.130.12) appear in the ARP table of&nbsp; 57.24.130.8 with the mac address of 57.24.130.1 being 000d.88ee.1262.</P><P></P><P>How is this possible ? and why is this happening ?</P><P></P><P>any ideas?</P> Mon, 11 Mar 2019 20:49:03 GMT https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695994#M529480 sneakster1 2019-03-11T20:49:03Z https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695995#M529484 <HTML><HEAD></HEAD><BODY><P>If the Pix with the IP address 57.24.130.8 is running NAT and it has the IP address 57.24.130.1 on an statement, then, that would be expeted since the Pix will proxy arp for that IP (due to the NAT configured) </P><P></P><P>That is the only way because of a Firewall will answer an ARP request that does not belong to its interface IP. </P><P></P><P>Mike </P></BODY></HTML> Wed, 22 Jun 2011 21:11:18 GMT https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695995#M529484 Maykol Rojas 2011-06-22T21:11:18Z https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695996#M529486 <HTML><HEAD></HEAD><BODY><P>Hi Mike </P><P>thanks for the reply</P><P></P><P>These are the states in the configuration..</P><P></P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P><P></P><P>global (amadeus) 1 interface</P><P></P><P></P><P>The (amadeus) interface being 57.24.130.8 , so no I dont have any statement referecing 57.24.130.1</P><P>but there is pat..</P><P></P><P></P><P>below is a sequece of events of what happens from when I ping 57.24.130.11 from fwl 57.24.130.8</P><P></P><P>ping 57.24.130.11</P><P>Type escape sequence to abort.</P><P>Sending 5, 100-byte ICMP Echos to 57.24.130.11, timeout is 2 seconds:</P><P>!????</P><P></P><P></P><P>sh arp | grep 57.24.130.11</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; amadeus 57.24.130.11 000d.88ee.1262 12</P><P></P><P></P><P>000d.88ee.1262 mac belogs to&nbsp; firewall 57.24.130.1</P><P></P><P></P><P>then I recieve the following mssage Pix 57.24.130.8</P><P></P><P>msg&nbsp;&nbsp; : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus</P><P>type&nbsp;&nbsp; : attack<SPAN id="mce_marker"> </SPAN><SPAN style="font-family: &quot;Arial&quot;,&quot;sans-serif&quot;; color: black; font-size: 8pt; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-ZA; mso-fareast-language: EN-ZA; mso-bidi-language: AR-SA;">msg&nbsp;&nbsp; : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus<BR />type&nbsp;&nbsp; : attack</SPAN></P><P></P><P></P><P></P><P></P><P>is this nothing to worry about? as this will also happen randomly with out me trying to simulate the situation...?</P></BODY></HTML> Thu, 23 Jun 2011 09:01:12 GMT https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695996#M529486 sneakster1 2011-06-23T09:01:12Z https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695997#M529487 <HTML><HEAD></HEAD><BODY><P>I am sorry, I think I mispoke on my reply, I meant if 57.24.130.1 was running NAT. Please feel free to post the sh run NAT of 57.24.130.1</P><P></P><P>Mike </P></BODY></HTML> Thu, 23 Jun 2011 17:17:52 GMT https://community.cisco.com/t5/network-security/arp-poisioning/m-p/1695997#M529487 Maykol Rojas 2011-06-23T17:17:52Z