06-22-2011 09:10 AM - edited 03-11-2019 01:49 PM
Hi ..
I have a subnet of 57.24.130.0/27
i have two routers in that subnet ip'd as followed
57.24.130.11 with a mac address of 001d.46c4.0c60
57.24.130.12 with a mac address of 001c.f6f8.b570
now in this subnet I also two PIX firewalls ver 8.0(4) with IPs
57.24.130.1 with mac 000d.88ee.1262
57.24.130.8 with mac 00e0.b603.d823
Okay I have the firewalls syslog sending its output to a firewall analyzer and every couple months I get a notification of
ARP poisioing on firewall 57.24.130.8 with the following situation.
the two routers IP (57.24.130.11,57.24.130.12) appear in the ARP table of 57.24.130.8 with the mac address of 57.24.130.1 being 000d.88ee.1262.
How is this possible ? and why is this happening ?
any ideas?
06-22-2011 02:11 PM
If the Pix with the IP address 57.24.130.8 is running NAT and it has the IP address 57.24.130.1 on an statement, then, that would be expeted since the Pix will proxy arp for that IP (due to the NAT configured)
That is the only way because of a Firewall will answer an ARP request that does not belong to its interface IP.
Mike
06-23-2011 02:01 AM
Hi Mike
thanks for the reply
These are the states in the configuration..
nat (inside) 1 0.0.0.0 0.0.0.0
global (amadeus) 1 interface
The (amadeus) interface being 57.24.130.8 , so no I dont have any statement referecing 57.24.130.1
but there is pat..
below is a sequece of events of what happens from when I ping 57.24.130.11 from fwl 57.24.130.8
ping 57.24.130.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 57.24.130.11, timeout is 2 seconds:
!????
sh arp | grep 57.24.130.11
amadeus 57.24.130.11 000d.88ee.1262 12
000d.88ee.1262 mac belogs to firewall 57.24.130.1
then I recieve the following mssage Pix 57.24.130.8
msg : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus
type : attack msg : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus
type : attack
is this nothing to worry about? as this will also happen randomly with out me trying to simulate the situation...?
06-23-2011 10:17 AM
I am sorry, I think I mispoke on my reply, I meant if 57.24.130.1 was running NAT. Please feel free to post the sh run NAT of 57.24.130.1
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: