I have a subnet of 220.127.116.11/27
i have two routers in that subnet ip'd as followed
18.104.22.168 with a mac address of 001d.46c4.0c60
22.214.171.124 with a mac address of 001c.f6f8.b570
now in this subnet I also two PIX firewalls ver 8.0(4) with IPs
126.96.36.199 with mac 000d.88ee.1262
188.8.131.52 with mac 00e0.b603.d823
Okay I have the firewalls syslog sending its output to a firewall analyzer and every couple months I get a notification of
ARP poisioing on firewall 184.108.40.206 with the following situation.
the two routers IP (220.127.116.11,18.104.22.168) appear in the ARP table of 22.214.171.124 with the mac address of 126.96.36.199 being 000d.88ee.1262.
How is this possible ? and why is this happening ?
If the Pix with the IP address 188.8.131.52 is running NAT and it has the IP address 184.108.40.206 on an statement, then, that would be expeted since the Pix will proxy arp for that IP (due to the NAT configured)
That is the only way because of a Firewall will answer an ARP request that does not belong to its interface IP.
thanks for the reply
These are the states in the configuration..
nat (inside) 1 0.0.0.0 0.0.0.0
global (amadeus) 1 interface
The (amadeus) interface being 220.127.116.11 , so no I dont have any statement referecing 18.104.22.168
but there is pat..
below is a sequece of events of what happens from when I ping 22.214.171.124 from fwl 126.96.36.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds:
sh arp | grep 184.108.40.206
amadeus 220.127.116.11 000d.88ee.1262 12
000d.88ee.1262 mac belogs to firewall 18.104.22.168
then I recieve the following mssage Pix 22.214.171.124
msg : %PIX-4-405001: Received ARP response collision from 126.96.36.199/000d.88ee.1262 on interface amadeus
type : attack msg : %PIX-4-405001: Received ARP response collision from 188.8.131.52/000d.88ee.1262 on interface amadeus
type : attack
is this nothing to worry about? as this will also happen randomly with out me trying to simulate the situation...?
I am sorry, I think I mispoke on my reply, I meant if 184.108.40.206 was running NAT. Please feel free to post the sh run NAT of 220.127.116.11