Re: ARP inspection on the ASA !! from Adrian Brayton on 2010-05-24 (Ccielab archives 05/2010)

From: Adrian Brayton <abrayton_at_gmail.com>
Date: Mon, 24 May 2010 17:19:29 -0400

I am not an ASA guy but you should check your "access-group "OUT-IN"...

On May 24, 2010, at 5:10 PM, Sadiq Yakasai wrote:

> Help!
>
> I must be missing something fundamental here since it did not work even the
> first time I attempted this. Here we are:
>
> ARP inspection on the L2 firewall; subnet 162.1.38.0/24 (ASA ip=.13)
>
> R3 (mac=6851, ip=.3) ------------- ASA1-------------------SW2 (mac=53c1,
> ip=.8).
>
> ASA1(config)# May 24 2010 21:41:03: %ASA-5-111008: User 'enable_15' executed
> the 'logging cons deb' command.
> May 24 2010 21:41:04: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
> dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>
> ASA1(config)# May 24 2010 21:41:09: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> May 24 2010 21:41:10: %ASA-2-106006: Deny inbound UDP from 162.1.38.8/520 to
> 224.0.0.9/520 on interface Inside
> May 24 2010 21:41:13: %ASA-7-609001: Built local-host Outside:162.1.38.3
> May 24 2010 21:41:13: %ASA-7-609001: Built local-host Inside:162.1.38.8
> May 24 2010 21:41:13: %ASA-6-302020: Built inbound ICMP connection for faddr
> 162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
> May 24 2010 21:41:13: %ASA-3-322002: ARP inspection check failed for arp
> request received from host 001d.a257.53c1 on interface Inside. This host is
> advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which is
> dynamically bound to MAC Address 001d.a257.53c1
> May 24 2010 21:41:13: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
> dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> May 24 2010 21:41:17: %ASA-3-322002: ARP inspection check failed for arp
> request received from host 001d.a257.53c1 on interface Inside. This host is
> advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which is
> dynamically bound to MAC Address 001d.a257.53c1
> May 24 2010 21:41:18: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
> dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> May 24 2010 21:41:19: %ASA-3-322002: ARP inspection check failed for arp
> request received from host 001d.a257.53c1 on interface Inside. This host is
> advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which is
> dynamically bound to MAC Address 001d.a257.53c1
> May 24 2010 21:41:23: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
> dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> May 24 2010 21:41:23: %ASA-6-302021: Teardown ICMP connection for faddr
> 162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
> May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host Outside:162.1.38.3
> duration 0:00:10
> May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host Inside:162.1.38.8
> duration 0:00:10
> May 24 2010 21:41:27: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
> dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> May 24 2010 21:41:32: %ASA-4-106023: Deny protocol 88 src Outside:162.1.38.3
> dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>
> ASA1(config)#
> ASA1(config)# May 24 2010 21:41:37: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>
> ASA1(config)#
> ASA1(config)#
> ASA1(config)# sh arp
> Outside 162.1.38.3 001b.d447.6851 alias -
> Inside 162.1.38.8 001d.a257.53c1 alias -
> ASA1(config)# May 24 2010 21:41:38: %ASA-7-111009: User 'enable_15' executed
> cmd: show arp
> May 24 2010 21:41:38: %ASA-2-106006: Deny inbound UDP from 162.1.38.8/520 to
> 224.0.0.9/520 on interface Inside
> ASA1(config)#
> ASA1(config)#
> ASA1(config)#
> ASA1(config)# sh run arp
> arp Inside 162.1.38.8 001d.a257.53c1 alias
> arp Outside 162.1.38.3 001b.d447.6851 alias
> ASA1(config)#
> ASA1(config)# sh run | i arp
> arp Inside 162.1.38.8 001d.a257.53c1 alias
> arp Outside 162.1.38.3 001b.d447.6851 alias
> arp timeout 14400
> arp-inspection Outside enable no-flood
> arp-inspection Inside enable no-flood
> ASA1(config)# sh run | i mac
> mac-address-table static Outside 001b.d447.6851
> mac-address-table static Inside 001d.a257.53c1
> mac-learn Outside disable
> mac-learn Inside disable
> ASA1(config)# sh mac-add
> ASA1(config)# sh mac-address-table
> interface mac address type Age(min)
> ------------------------------------------------------------------
> Outside 001b.d447.6851 static
> Inside 001d.a257.53c1 static
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon May 24 2010 - 17:19:29 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART