Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
696
Views
0
Helpful
3
Replies

ARP Poisioning

sneakster1
Level 1
Level 1

‎06-22-2011 09:10 AM - edited ‎03-11-2019 01:49 PM

Hi ..

I have a subnet of 57.24.130.0/27

i have two routers in that subnet ip'd as followed

57.24.130.11 with a mac address of  001d.46c4.0c60

57.24.130.12 with a mac address of  001c.f6f8.b570

now in this subnet I also two PIX firewalls ver 8.0(4) with IPs

57.24.130.1 with mac 000d.88ee.1262

57.24.130.8 with mac 00e0.b603.d823

Okay I have the firewalls syslog sending its output to a firewall analyzer and every couple months I get a notification of

ARP poisioing on firewall 57.24.130.8 with the following situation.

the two routers IP (57.24.130.11,57.24.130.12) appear in the ARP table of  57.24.130.8 with the mac address of 57.24.130.1 being 000d.88ee.1262.

How is this possible ? and why is this happening ?

any ideas?

Labels:
0 Helpful
3 Replies 3

Maykol Rojas
Cisco Employee
Cisco Employee

‎06-22-2011 02:11 PM

If the Pix with the IP address 57.24.130.8 is running NAT and it has the IP address 57.24.130.1 on an statement, then, that would be expeted since the Pix will proxy arp for that IP (due to the NAT configured)

That is the only way because of a Firewall will answer an ARP request that does not belong to its interface IP.

Mike

Mike
0 Helpful

sneakster1
Level 1
Level 1
In response to Maykol Rojas

‎06-23-2011 02:01 AM

Hi Mike

thanks for the reply

These are the states in the configuration..

nat (inside) 1 0.0.0.0 0.0.0.0

global (amadeus) 1 interface

The (amadeus) interface being 57.24.130.8 , so no I dont have any statement referecing 57.24.130.1

but there is pat..

below is a sequece of events of what happens from when I ping 57.24.130.11 from fwl 57.24.130.8

ping 57.24.130.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 57.24.130.11, timeout is 2 seconds:

!????

sh arp | grep 57.24.130.11

        amadeus 57.24.130.11 000d.88ee.1262 12

000d.88ee.1262 mac belogs to  firewall 57.24.130.1

then I recieve the following mssage Pix 57.24.130.8

msg   : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus

type   : attack msg   : %PIX-4-405001: Received ARP response collision from 57.24.130.11/000d.88ee.1262 on interface amadeus
type   : attack

is this nothing to worry about? as this will also happen randomly with out me trying to simulate the situation...?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to sneakster1

‎06-23-2011 10:17 AM

I am sorry, I think I mispoke on my reply, I meant if 57.24.130.1 was running NAT. Please feel free to post the sh run NAT of 57.24.130.1

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card