From: Tim (ccie2be@nyc.rr.com)
Date: Tue Oct 07 2008 - 16:15:31 ART
Farrukh,
You, my friend, are brilliant !!!
That's exactly what the problem was and I don't think I would have ever
figured that out in a million years.
Thank you so so much.
Tim
_____
From: Farrukh Haroon [mailto:farrukhharoon@gmail.com]
Sent: Tuesday, October 07, 2008 3:01 PM
To: Tim
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: Very Strange ARP problem
Most probably this is happening because you configured a static (x,outside)
statement on the ASA for the server. The ASA will respond with its own mac
address for all 'mapped IP addresses' configured in static commands.
Regards
Farrukh
On Tue, Oct 7, 2008 at 9:49 PM, Tim <ccie2be@nyc.rr.com> wrote:
Hi Guys,
I'm doing IE security lab 1
I have 3 devices on the same vlan:
The private int of a VPN 3005. (ip address 183.1.100.11/24, mac addr
00.03.A0.88.D6.24
The outside int of ASA (ip address 183.1.100.12/24, mac addr
001f.9c98.16ae)
And a Win Server ( ip address 183.1.100.100/24, mac addr
0002.a58a.65e6)
When the outside int of the ASA is up, I can't browse from the Win Server to
the private int of the VPN 3000.
But, after I shut down the outside int of the ASA, there's no problem. And,
after a bit the arp table on the Win Server is correct.
Then, if I re-enable the outside int of the ASA, the ARP table on the Win
Server becomes corrupted showing the same Mac address (the MAC address of
the ASA's outside int)
for both the Win Server and the outside int of the ASA.
So, it seems like the ASA is responding to ARP requests for 183.1.100.11
with its own mac address.
Has anybody ever seem this behavior before or know why this is happening?
And, how can I make it stop doing that.
Thanks, Tim
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST