Re: Doubt about PIX in Transparent mode

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sun Dec 30 2007 - 18:52:36 ARST

• Next message: Prasanna.2.C: "Reqd CCIE R&S attempt guidelines + Study Partner at UK"
• Previous message: Chris Riling: "Re: PIM NBMA Mode"
• Maybe in reply to: Anderson Mota Alves: "Doubt about PIX in Transparent mode"
• Next in thread: Tarun Pahuja: "Re: Doubt about PIX in Transparent mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Anderson

Both features can work independently of each other. ARP inspection requires
static mapping of all arp enties (Interface,IP and MAC). This is different
from the Dynamic ARP inspection feature (on switches) which can work make
decisions based on the DHCP binding table. But this is mostly due to the
network positioning of a transparent firewall vs. a switch. In most
topologies there would be only two devices directly connected to the ASA/PIX
in transparent mode, so one could easily do these static mappings.

MAC-learning can be disabled to prevent MAC spoofing etc. as you suggest.
However this would requires that static MAC entries are defined for all
traffic bridged through the appliance. As per the documentation, once you
add a static ARP entry a corresponding static MAC entry is automatically
added for that IP/MAC pair.

One last thing that I would like to share, which I found quite important
while studying for this feature. i.e. the mac-learning for the security
appliance vs. regular switches. As per CCO:

" << Because the security appliance is a firewall, if the destination MAC
address of a packet is not in the table, the security appliance does not
flood the original packet on all interfaces as a normal bridge does.
Instead, it generates the following packets for directly connected devices
or for remote devices,

Packets for directly connected devicesThe security appliance generates an
ARP request for the destination IP address, so that the security appliance
can learn which interface receives the ARP response.

Packets for remote devicesThe security appliance generates a ping to the
destination IP address so that the security appliance can learn which
interface receives the ping reply.

The original packet is dropped. >>"

Regards

Farrukh

On Dec 30, 2007 11:15 PM, Anderson Mota Alves <mota.anderson@gmail.com>
wrote:

> Hi guys,
>
> I have a doubt when I need to configure ARP Inspection in a PIX in
> transparent mode, I've seen from some workbooks that for the arp
> inspection
> section in a pix in transparent we also need to disable mac learning and
> configure static entries for the mac address from both interface (inside
> and
> outside). The only thing I don't get in here is the reason to disable mac
> learning (for me this practise is to avoid Mac spoofing) with it's
> different
> from arp spoofing.
>
>
> Any input would be really appreciated, and HAPPY NEW YEAR !!!! :-D
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Prasanna.2.C: "Reqd CCIE R&S attempt guidelines + Study Partner at UK"
• Previous message: Chris Riling: "Re: PIM NBMA Mode"
• Maybe in reply to: Anderson Mota Alves: "Doubt about PIX in Transparent mode"
• Next in thread: Tarun Pahuja: "Re: Doubt about PIX in Transparent mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:32 ARST