I have a subnet of 126.96.36.199/27
i have two routers in that subnet ip'd as followed
188.8.131.52 with a mac address of 001d.46c4.0c60
184.108.40.206 with a mac address of 001c.f6f8.b570
now in this subnet I also two PIX firewalls ver 8.0(4) with IPs
220.127.116.11 with mac 000d.88ee.1262
18.104.22.168 with mac 00e0.b603.d823
Okay I have the firewalls syslog sending its output to a firewall analyzer and every couple months I get a notification of
ARP poisioing on firewall 22.214.171.124 with the following situation.
the two routers IP (126.96.36.199,188.8.131.52) appear in the ARP table of 184.108.40.206 with the mac address of 220.127.116.11 being 000d.88ee.1262.
How is this possible ? and why is this happening ?
If the Pix with the IP address 18.104.22.168 is running NAT and it has the IP address 22.214.171.124 on an statement, then, that would be expeted since the Pix will proxy arp for that IP (due to the NAT configured)
That is the only way because of a Firewall will answer an ARP request that does not belong to its interface IP.
thanks for the reply
These are the states in the configuration..
nat (inside) 1 0.0.0.0 0.0.0.0
global (amadeus) 1 interface
The (amadeus) interface being 126.96.36.199 , so no I dont have any statement referecing 188.8.131.52
but there is pat..
below is a sequece of events of what happens from when I ping 184.108.40.206 from fwl 220.127.116.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds:
sh arp | grep 22.214.171.124
amadeus 126.96.36.199 000d.88ee.1262 12
000d.88ee.1262 mac belogs to firewall 188.8.131.52
then I recieve the following mssage Pix 184.108.40.206
msg : %PIX-4-405001: Received ARP response collision from 220.127.116.11/000d.88ee.1262 on interface amadeus
type : attack msg : %PIX-4-405001: Received ARP response collision from 18.104.22.168/000d.88ee.1262 on interface amadeus
type : attack
is this nothing to worry about? as this will also happen randomly with out me trying to simulate the situation...?
I am sorry, I think I mispoke on my reply, I meant if 22.214.171.124 was running NAT. Please feel free to post the sh run NAT of 126.96.36.199