Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
3
Replies

Unknown router granted dynamic ARP, now what?

randallrathbun
Level 1
Level 1

‎04-05-2010 10:48 AM - edited ‎03-09-2019 10:54 PM

I have discovered that the Cisco ASA5505 we are using for a firewall is granting a dynamic arp to an SMC router on the outside interface which has access to the internet. The IP address is not that of the single IP granted for the outside interface to the internet, but it is in the range under the net mask (8 addresses).

I tried using a non-MAC exempt rule in the AAA section to block this, but this doesn't seem to be a good solution.

Is the router coming in from the outside?  Has the outside interface been breached?  Apparently the ASA5505 doesn't think the router is violating an access rules.


The dynamic ARP appeared over the week end, when the normal equipment was shut down, but the firewall left running.  Too bad the ARP table doesn't time stamp when this occurred.

The unknown router has the same MAC address that was found during the middle of last week.  This appearance just started at the middle of last week.

I do not know what router this is, so I now have concern.


What steps should I take to track this down?  (I am not an experienced seasoned security IP person)

Labels:
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎04-05-2010 12:10 PM

Networking devices will learn arp when a Grat ARP is sent. The arp entry will be added to the routing table for locally connected nets.

If you saw an incorrect arp you should check the directly connected devices.

Any time you un shut and interface with an ip address on a router or an ASA it will Grat arp.

If there is a switch that connects the outside of the asa you can do "sh mac address | i " to see if the switch learnt that mac on a port.

I hope it helps.

PK

0 Helpful

randallrathbun
Level 1
Level 1
In response to Panos Kampanakis

‎04-05-2010 02:15 PM

Dear PK:


I did some reading on my own regarding "Gratuitous ARP" and understand that now, but am having problems discovering how the ASA5505 learned the ARP, since apparently the "show mac" command is not available under the ASA 5505 software (I am using the CLI window)

The available show commands are "show arp" and "show IP" which is close but doesn't give me what I need.

It could be that the connection on the other end of my dedicated IP (1 address) is changing or stopping and starting and then sending the Grat arp, as this seems most reasonable, but I would like to confirm that this is so.

It also doesn't help that last week Columbia University in New York scanned our block of addresses and attempted to sit upon both the http and telnet ports.  Their laboratory is set up to scan banks of IP numbers and find misconfigured routers or security appliances.

Randall

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to randallrathbun

‎04-06-2010 05:58 AM

The "sh mac address" is available on the switches. So if you have a switch on the outside of the ASA that cannects that ASA
outside with the upstream router you can check the mac address table of the switchto see where it learnt the bogus mac.

I hope it helps.

PK

0 Helpful
Customers Also Viewed These Support Documents