cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17070
Views
5
Helpful
4
Replies

cisco asa arp poison

laposilaszlo
Beginner
Beginner

Hello,

I use a cisco ASA firewall in a L3 configuration.

Result of the command: "show running-config sysopt"

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

The problem is that the ASA is answering to all arp requests on the inside lan!

Is this a default setting for the ASA to answer all arp requests?

Do i have to disable this and how?

Thak you,

Laszlo

3 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You are right. Proxy arp is enabled by default.

Here is how to disable proxy arp for the inside interface:

sysopt noproxyarp inside

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

Hope that helps.

View solution in original post

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Hope this helps.

Regards,

NT

View solution in original post

Hello,

If you are using the inside interface IP for overloading, then it should not be a problem.

global (inside) 1 interface

If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like

global (inside) 1 10.1.1.100

and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:

arp inside 10.1.1.100 alias

This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.

Hope this helps.

Regards,

NT

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

You are right. Proxy arp is enabled by default.

Here is how to disable proxy arp for the inside interface:

sysopt noproxyarp inside

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

Hope that helps.

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Hope this helps.

Regards,

NT

I only overload the inside lan.

If i disable proxy arp is this goin to work.

Thak you,

laszlo

Hello,

If you are using the inside interface IP for overloading, then it should not be a problem.

global (inside) 1 interface

If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like

global (inside) 1 10.1.1.100

and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:

arp inside 10.1.1.100 alias

This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.

Hope this helps.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers