cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
0
Helpful
3
Replies
Beginner

ARP Poisioning

Hi ..

I have a subnet of 57.24.130.0/27

i have two routers in that subnet ip'd as followed

57.24.130.11 with a mac address of  001d.46c4.0c60

57.24.130.12 with a mac address of  001c.f6f8.b570

now in this subnet I also two PIX firewalls ver 8.0(4) with IPs

57.24.130.1 with mac 000d.88ee.1262

57.24.130.8 with mac 00e0.b603.d823

Okay I have the firewalls syslog sending its output to a firewall analyzer and every couple months I get a notification of

ARP poisioing on firewall 57.24.130.8 with the following situation.

the two routers IP (57.24.130.11,57.24.130.12) appear in the ARP table of  57.24.130.8 with the mac address of 57.24.130.1 being 000d.88ee.1262.

How is this possible ? and why is this happening ?

any ideas?

3 REPLIES 3
Highlighted
Cisco Employee

ARP Poisioning

If the Pix with the IP address 57.24.130.8 is running NAT and it has the IP address 57.24.130.1 on an statement, then, that would be expeted since the Pix will proxy arp for that IP (due to the NAT configured)

That is the only way because of a Firewall will answer an ARP request that does not belong to its interface IP.

Mike

Mike
Highlighted
Beginner

Re: ARP Poisioning

Hi Mike

thanks for the reply

These are the states in the configuration..

nat (inside) 1 0.0.0.0 0.0.0.0

global (amadeus) 1 interface

The (amadeus) interface being 57.24.130.8 , so no I dont have any statement referecing 57.24.130.1

but there is pat..

below is a sequece of events of what happens from when I ping 57.24.130.11 from fwl 57.24.130.8

ping 57.24.130.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 57.24.130.11, timeout is 2 seconds:

!????

sh arp | grep 57.24.130.11

        amadeus 57.24.130.11 000d.88ee.1262 12

000d.88ee.1262 mac belogs to  firewall 57.24.130.1

then I recieve the following mssage Pix 57.24.130.8

msg   : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus

type   : attack msg   : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus
type   : attack

is this nothing to worry about? as this will also happen randomly with out me trying to simulate the situation...?

Highlighted
Cisco Employee

Re: ARP Poisioning

I am sorry, I think I mispoke on my reply, I meant if 57.24.130.1 was running NAT. Please feel free to post the sh run NAT of 57.24.130.1

Mike

Mike