ARP inspection on the ASA !!

Help!

I must be missing something fundamental here since it did not work even the
first time I attempted this. Here we are:

ARP inspection on the L2 firewall; subnet 162.1.38.0/24 (ASA ip=.13)

R3 (mac=6851, ip=.3) ------------- ASA1-------------------SW2 (mac=53c1,
ip=.8).

ASA1(config)# May 24 2010 21:41:03: %ASA-5-111008: User 'enable_15' executed
the 'logging cons deb' command.
May 24 2010 21:41:04: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]

ASA1(config)# May 24 2010 21:41:09: %ASA-4-106023: Deny protocol 88 src
Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
May 24 2010 21:41:10: %ASA-2-106006: Deny inbound UDP from 162.1.38.8/520 to
224.0.0.9/520 on interface Inside
May 24 2010 21:41:13: %ASA-7-609001: Built local-host Outside:162.1.38.3
May 24 2010 21:41:13: %ASA-7-609001: Built local-host Inside:162.1.38.8
May 24 2010 21:41:13: %ASA-6-302020: Built inbound ICMP connection for faddr
162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
May 24 2010 21:41:13: %ASA-3-322002: ARP inspection check failed for arp
request received from host 001d.a257.53c1 on interface Inside. This host is
advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which is
dynamically bound to MAC Address 001d.a257.53c1
May 24 2010 21:41:13: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
May 24 2010 21:41:17: %ASA-3-322002: ARP inspection check failed for arp
request received from host 001d.a257.53c1 on interface Inside. This host is
advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which is
dynamically bound to MAC Address 001d.a257.53c1
May 24 2010 21:41:18: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
May 24 2010 21:41:19: %ASA-3-322002: ARP inspection check failed for arp
request received from host 001d.a257.53c1 on interface Inside. This host is
advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which is
dynamically bound to MAC Address 001d.a257.53c1
May 24 2010 21:41:23: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
May 24 2010 21:41:23: %ASA-6-302021: Teardown ICMP connection for faddr
162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host Outside:162.1.38.3
duration 0:00:10
May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host Inside:162.1.38.8
duration 0:00:10
May 24 2010 21:41:27: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
May 24 2010 21:41:32: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]

ASA1(config)#
ASA1(config)# May 24 2010 21:41:37: %ASA-4-106023: Deny protocol 88 src
Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]

ASA1(config)#
ASA1(config)#
ASA1(config)# sh arp
        Outside 162.1.38.3 001b.d447.6851 alias -
        Inside 162.1.38.8 001d.a257.53c1 alias -
ASA1(config)# May 24 2010 21:41:38: %ASA-7-111009: User 'enable_15' executed
cmd: show arp
May 24 2010 21:41:38: %ASA-2-106006: Deny inbound UDP from 162.1.38.8/520 to
224.0.0.9/520 on interface Inside
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)# sh run arp
arp Inside 162.1.38.8 001d.a257.53c1 alias
arp Outside 162.1.38.3 001b.d447.6851 alias
ASA1(config)#
ASA1(config)# sh run | i arp
arp Inside 162.1.38.8 001d.a257.53c1 alias
arp Outside 162.1.38.3 001b.d447.6851 alias
arp timeout 14400
arp-inspection Outside enable no-flood
arp-inspection Inside enable no-flood
 ASA1(config)# sh run | i mac
mac-address-table static Outside 001b.d447.6851
mac-address-table static Inside 001d.a257.53c1
mac-learn Outside disable
mac-learn Inside disable
ASA1(config)# sh mac-add
ASA1(config)# sh mac-address-table
interface mac address type Age(min)
------------------------------------------------------------------
Outside 001b.d447.6851 static
Inside 001d.a257.53c1 static

Blogs and organic groups at http://www.ccie.net
Received on Mon May 24 2010 - 22:10:32 ART