cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4956
Views
0
Helpful
11
Replies

Strange Entries in ARP Table

sabinj
Level 1
Level 1

I need some advice on this topic.  I am seeing strange entries in my ARP table on my ASA 5510.  We do not use any static ARP on the firewall at all.  There are several dynamic arp entries being created that are not local to my network, yet they show up on the Management(Inside) interface.  I am pretty new to this so I may just not fully understand how/why a dynamic ARP entry is create on the inside interface of my firewall.  I see all of my local IP's in this table, but am concerned with the ones that are not local.

1 Accepted Solution

Accepted Solutions

Are you doing anything that might use Reverse Route Injection?

Can you show us the routes configured on the ASA?

HTH

Rick

HTH

Rick

View solution in original post

11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Can you confirm if you do not have any static arp configured on your asa:

     -Show run arp

Also you said its on your managment interface, where is this port on the ASA going to ( connected to)?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes I can confirm that there are no static arps configured. 

sho run arp: no results returned 

We don't NAT to any of the addresses that are showing up in the ARP table, they are addresses that are completely foreignto the networks that we access on our known networks. 

Whats more troubling is the fact they are showing up on my inside interface. 

Hello,

So they are showing up on the inside and also managment interface? Right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello, In our setup the management interface is also the inside interface. We do not dedicate an interface to management only.

Hello,

Hmmm, is the ASA the only path to get in or get out of your network?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

Yes that is correct.

Thanks,

Sabin

Hello,

If I were in your place I would start inmediatly to investigate what is going on in here because looks like there are devices on the internal network that do not belong to your company, if you have their ip addresses I would definitly shun them

Regards,

Let me know what you find out!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marvin Rhoads
Hall of Fame
Hall of Fame

Besides defined static ARPs, the ASA will also add arp entries for xlates (NATs).

Are you doing anything that might use Reverse Route Injection?

Can you show us the routes configured on the ASA?

HTH

Rick

HTH

Rick

Hello Richard,

We had reverse route injection selected on our L2L cryptomap rule.  It really was not needed so I disabled it.  However I still am getting some of the addresses popping up.  I did a lookup on them and most are coming back as the following..

Reverse lookup for addresses below: .deploy.akamaitechnologies.com

23.1.217.83  whois = Domain Name: AKAMAITECHNOLOGIES.COM

65.197.244.80  whois = Domain Name: AKAMAITECHNOLOGIES.COM

65.197.244.82  whois = Domain Name: AKAMAITECHNOLOGIES.COM

72.246.225.83  whois = AKAMAITECHNOLOGIES.COM

Apparently this AKAMAITECHNOLOGIES.COM provide deployment services and bandwidth for companies such as Microsoft and many more.

No results

206.160.105.254  whois = Sprint.com

204.95.60.12  whois = Sprint.com

112.80.48.236 whois = Something in China...Blocked this network at firewall.

Reverse lookup for addresses below:  dns-redir-lb-02.tampabay.rr.com

65.32.5.112

65.32.5.111

A little more background on our setup.  We have a very small network with no more than 80 connected devices.  All devices have been accounted for. 

We have a L2L VPN tunnel to our client (did have Reverse route injection enable/now disabled as not needed).  Here we use a dynamic policy NAT to NAT our internal hosts to an address space (Provided by ISP) usable in our clients network.  The nat is configured so packets destined for client network on VPN tunnel get hit a pool of addresses and the source IP is then translated.

We are also using PAT, which is used for packets not destined for the vpn tunnel (like the web). 

What is most puzzling, is if I turn off the PAT and delete the dynamic policy nat, then recreate a new dynamic nat with any any to the pool of addresses, these strange addresses do not show up in ARP table.

Review Cisco Networking for a $25 gift card