Re: ARP inspection on the ASA !! from Sadiq Yakasai on 2010-05-24 (Ccielab archives 05/2010)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Mon, 24 May 2010 22:27:35 +0100

Thanks Adrian, but OUT-IN ACL is a L3 ACL and only matching on IP traffic
#88 (EIGRP).

If you look one more time, you will find out that its my ARP traffic that
the ASA is bitching on about :-)

Nice try though ;-)

Sadiq

On Mon, May 24, 2010 at 10:19 PM, Adrian Brayton <abrayton_at_gmail.com> wrote:

> I am not an ASA guy but you should check your "access-group "OUT-IN"...
>
>
> On May 24, 2010, at 5:10 PM, Sadiq Yakasai wrote:
>
> > Help!
> >
> > I must be missing something fundamental here since it did not work even
> the
> > first time I attempted this. Here we are:
> >
> > ARP inspection on the L2 firewall; subnet 162.1.38.0/24 (ASA ip=.13)
> >
> > R3 (mac=6851, ip=.3) ------------- ASA1-------------------SW2 (mac=53c1,
> > ip=.8).
> >
> > ASA1(config)# May 24 2010 21:41:03: %ASA-5-111008: User 'enable_15'
> executed
> > the 'logging cons deb' command.
> > May 24 2010 21:41:04: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3
> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> >
> > ASA1(config)# May 24 2010 21:41:09: %ASA-4-106023: Deny protocol 88 src
> > Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0,
> 0x0]
> > May 24 2010 21:41:10: %ASA-2-106006: Deny inbound UDP from
> 162.1.38.8/520 to
> > 224.0.0.9/520 on interface Inside
> > May 24 2010 21:41:13: %ASA-7-609001: Built local-host Outside:162.1.38.3
> > May 24 2010 21:41:13: %ASA-7-609001: Built local-host Inside:162.1.38.8
> > May 24 2010 21:41:13: %ASA-6-302020: Built inbound ICMP connection for
> faddr
> > 162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
> > May 24 2010 21:41:13: %ASA-3-322002: ARP inspection check failed for arp
> > request received from host 001d.a257.53c1 on interface Inside. This host
> is
> > advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which
> is
> > dynamically bound to MAC Address 001d.a257.53c1
> > May 24 2010 21:41:13: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3
> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> > May 24 2010 21:41:17: %ASA-3-322002: ARP inspection check failed for arp
> > request received from host 001d.a257.53c1 on interface Inside. This host
> is
> > advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which
> is
> > dynamically bound to MAC Address 001d.a257.53c1
> > May 24 2010 21:41:18: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3
> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> > May 24 2010 21:41:19: %ASA-3-322002: ARP inspection check failed for arp
> > request received from host 001d.a257.53c1 on interface Inside. This host
> is
> > advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which
> is
> > dynamically bound to MAC Address 001d.a257.53c1
> > May 24 2010 21:41:23: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3
> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> > May 24 2010 21:41:23: %ASA-6-302021: Teardown ICMP connection for faddr
> > 162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
> > May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host
> Outside:162.1.38.3
> > duration 0:00:10
> > May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host
> Inside:162.1.38.8
> > duration 0:00:10
> > May 24 2010 21:41:27: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3
> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> > May 24 2010 21:41:32: %ASA-4-106023: Deny protocol 88 src
> Outside:162.1.38.3
> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
> >
> > ASA1(config)#
> > ASA1(config)# May 24 2010 21:41:37: %ASA-4-106023: Deny protocol 88 src
> > Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0,
> 0x0]
> >
> > ASA1(config)#
> > ASA1(config)#
> > ASA1(config)# sh arp
> > Outside 162.1.38.3 001b.d447.6851 alias -
> > Inside 162.1.38.8 001d.a257.53c1 alias -
> > ASA1(config)# May 24 2010 21:41:38: %ASA-7-111009: User 'enable_15'
> executed
> > cmd: show arp
> > May 24 2010 21:41:38: %ASA-2-106006: Deny inbound UDP from
> 162.1.38.8/520 to
> > 224.0.0.9/520 on interface Inside
> > ASA1(config)#
> > ASA1(config)#
> > ASA1(config)#
> > ASA1(config)# sh run arp
> > arp Inside 162.1.38.8 001d.a257.53c1 alias
> > arp Outside 162.1.38.3 001b.d447.6851 alias
> > ASA1(config)#
> > ASA1(config)# sh run | i arp
> > arp Inside 162.1.38.8 001d.a257.53c1 alias
> > arp Outside 162.1.38.3 001b.d447.6851 alias
> > arp timeout 14400
> > arp-inspection Outside enable no-flood
> > arp-inspection Inside enable no-flood
> > ASA1(config)# sh run | i mac
> > mac-address-table static Outside 001b.d447.6851
> > mac-address-table static Inside 001d.a257.53c1
> > mac-learn Outside disable
> > mac-learn Inside disable
> > ASA1(config)# sh mac-add
> > ASA1(config)# sh mac-address-table
> > interface mac address type Age(min)
> > ------------------------------------------------------------------
> > Outside 001b.d447.6851 static
> > Inside 001d.a257.53c1 static
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Mon May 24 2010 - 22:27:35 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART