RE: Very Strange ARP problem

From: Moutaz Abd El-Gawad (moutaz1983@yahoo.com)
Date: Wed Oct 08 2008 - 11:09:13 ART

• Next message: Andrew Dempsey: "Re: how to avoid this mroute?"
• Previous message: Nambi Appachigounder: "Re: Multicast - RP static override"
• Maybe in reply to: Tim: "Very Strange ARP problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi All;

It is realy great this group study, thanks so much for valubale information you send.

I faced this problem before in a running environment, it was as follow:

1- ASA inside interface.
2- Ironport web appliance (web proxy)
3- FWSM outside interface.

Exactly the problem was that there was a static natting on the FWSM for the subnet 10.0.0.0/8 and the VLAN of the devices was 10.20.5.0/24

so the static command makes the FWSM reply for any arp request for the subnet 10.0.0.0

and the problem solved after splitting the static command

BUT the question is that I had already an old proxy was with the same ip but this problem didn't happened with it, although the two boxes (Ironport & ACNS "old proxy") has no arp static entries.

Moutaz Abd El-Gawad

--- On Tue, 10/7/08, Tim <ccie2be@nyc.rr.com> wrote:
From: Tim <ccie2be@nyc.rr.com>
Subject: RE: Very Strange ARP problem
To: "'Farrukh Haroon'" <farrukhharoon@gmail.com>
Cc: ccielab@groupstudy.com, security@groupstudy.com
Date: Tuesday, October 7, 2008, 12:15 PM

Farrukh,

You, my friend, are brilliant !!!

That's exactly what the problem was and I don't think I would have ever
figured that out in a million years.

Thank you so so much.

Tim

  _____

From: Farrukh Haroon [mailto:farrukhharoon@gmail.com]
Sent: Tuesday, October 07, 2008 3:01 PM
To: Tim
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: Very Strange ARP problem

Most probably this is happening because you configured a static (x,outside)
statement on the ASA for the server. The ASA will respond with its own mac
address for all 'mapped IP addresses' configured in static commands.

Regards

Farrukh

On Tue, Oct 7, 2008 at 9:49 PM, Tim <ccie2be@nyc.rr.com> wrote:

Hi Guys,

I'm doing IE security lab 1

I have 3 devices on the same vlan:

The private int of a VPN 3005. (ip address 183.1.100.11/24, mac addr
00.03.A0.88.D6.24

The outside int of ASA (ip address 183.1.100.12/24, mac addr
001f.9c98.16ae)

And a Win Server ( ip address 183.1.100.100/24, mac addr
0002.a58a.65e6)

When the outside int of the ASA is up, I can't browse from the Win Server
to
the private int of the VPN 3000.

But, after I shut down the outside int of the ASA, there's no problem.
And,
after a bit the arp table on the Win Server is correct.

Then, if I re-enable the outside int of the ASA, the ARP table on the Win
Server becomes corrupted showing the same Mac address (the MAC address of
the ASA's outside int)

for both the Win Server and the outside int of the ASA.

So, it seems like the ASA is responding to ARP requests for 183.1.100.11
with its own mac address.

Has anybody ever seem this behavior before or know why this is happening?

And, how can I make it stop doing that.

Thanks, Tim

Blogs and organic groups at http://www.ccie.net

• Next message: Andrew Dempsey: "Re: how to avoid this mroute?"
• Previous message: Nambi Appachigounder: "Re: Multicast - RP static override"
• Maybe in reply to: Tim: "Very Strange ARP problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:20 ARST