Re: ARP inspection on the ASA !! from Sadiq Yakasai on 2010-05-24 (Ccielab archives 05/2010)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Mon, 24 May 2010 22:40:55 +0100

False negative!

Not sure what I was thinking - did not actually put in the static ARP entry
on the other side of the connection.

Thanks for seeing my email anyway :-)

Later

On Mon, May 24, 2010 at 10:27 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:

> Thanks Adrian, but OUT-IN ACL is a L3 ACL and only matching on IP traffic
> #88 (EIGRP).
>
> If you look one more time, you will find out that its my ARP traffic that
> the ASA is bitching on about :-)
>
> Nice try though ;-)
>
> Sadiq
>
>
> On Mon, May 24, 2010 at 10:19 PM, Adrian Brayton <abrayton_at_gmail.com>wrote:
>
>> I am not an ASA guy but you should check your "access-group "OUT-IN"...
>>
>>
>> On May 24, 2010, at 5:10 PM, Sadiq Yakasai wrote:
>>
>> > Help!
>> >
>> > I must be missing something fundamental here since it did not work even
>> the
>> > first time I attempted this. Here we are:
>> >
>> > ARP inspection on the L2 firewall; subnet 162.1.38.0/24 (ASA ip=.13)
>> >
>> > R3 (mac=6851, ip=.3) ------------- ASA1-------------------SW2 (mac=53c1,
>> > ip=.8).
>> >
>> > ASA1(config)# May 24 2010 21:41:03: %ASA-5-111008: User 'enable_15'
>> executed
>> > the 'logging cons deb' command.
>> > May 24 2010 21:41:04: %ASA-4-106023: Deny protocol 88 src
>> Outside:162.1.38.3
>> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>> >
>> > ASA1(config)# May 24 2010 21:41:09: %ASA-4-106023: Deny protocol 88 src
>> > Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0,
>> 0x0]
>> > May 24 2010 21:41:10: %ASA-2-106006: Deny inbound UDP from
>> 162.1.38.8/520 to
>> > 224.0.0.9/520 on interface Inside
>> > May 24 2010 21:41:13: %ASA-7-609001: Built local-host Outside:162.1.38.3
>> > May 24 2010 21:41:13: %ASA-7-609001: Built local-host Inside:162.1.38.8
>> > May 24 2010 21:41:13: %ASA-6-302020: Built inbound ICMP connection for
>> faddr
>> > 162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
>> > May 24 2010 21:41:13: %ASA-3-322002: ARP inspection check failed for arp
>> > request received from host 001d.a257.53c1 on interface Inside. This host
>> is
>> > advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which
>> is
>> > dynamically bound to MAC Address 001d.a257.53c1
>> > May 24 2010 21:41:13: %ASA-4-106023: Deny protocol 88 src
>> Outside:162.1.38.3
>> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>> > May 24 2010 21:41:17: %ASA-3-322002: ARP inspection check failed for arp
>> > request received from host 001d.a257.53c1 on interface Inside. This host
>> is
>> > advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which
>> is
>> > dynamically bound to MAC Address 001d.a257.53c1
>> > May 24 2010 21:41:18: %ASA-4-106023: Deny protocol 88 src
>> Outside:162.1.38.3
>> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>> > May 24 2010 21:41:19: %ASA-3-322002: ARP inspection check failed for arp
>> > request received from host 001d.a257.53c1 on interface Inside. This host
>> is
>> > advertising MAC Address 001d.a257.53c1 for IP Address 162.1.38.8, which
>> is
>> > dynamically bound to MAC Address 001d.a257.53c1
>> > May 24 2010 21:41:23: %ASA-4-106023: Deny protocol 88 src
>> Outside:162.1.38.3
>> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>> > May 24 2010 21:41:23: %ASA-6-302021: Teardown ICMP connection for faddr
>> > 162.1.38.3/4 gaddr 162.1.38.8/0 laddr 162.1.38.8/0
>> > May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host
>> Outside:162.1.38.3
>> > duration 0:00:10
>> > May 24 2010 21:41:23: %ASA-7-609002: Teardown local-host
>> Inside:162.1.38.8
>> > duration 0:00:10
>> > May 24 2010 21:41:27: %ASA-4-106023: Deny protocol 88 src
>> Outside:162.1.38.3
>> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>> > May 24 2010 21:41:32: %ASA-4-106023: Deny protocol 88 src
>> Outside:162.1.38.3
>> > dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0, 0x0]
>> >
>> > ASA1(config)#
>> > ASA1(config)# May 24 2010 21:41:37: %ASA-4-106023: Deny protocol 88 src
>> > Outside:162.1.38.3 dst Inside:224.0.0.10 by access-group "OUT-IN" [0x0,
>> 0x0]
>> >
>> > ASA1(config)#
>> > ASA1(config)#
>> > ASA1(config)# sh arp
>> > Outside 162.1.38.3 001b.d447.6851 alias -
>> > Inside 162.1.38.8 001d.a257.53c1 alias -
>> > ASA1(config)# May 24 2010 21:41:38: %ASA-7-111009: User 'enable_15'
>> executed
>> > cmd: show arp
>> > May 24 2010 21:41:38: %ASA-2-106006: Deny inbound UDP from
>> 162.1.38.8/520 to
>> > 224.0.0.9/520 on interface Inside
>> > ASA1(config)#
>> > ASA1(config)#
>> > ASA1(config)#
>> > ASA1(config)# sh run arp
>> > arp Inside 162.1.38.8 001d.a257.53c1 alias
>> > arp Outside 162.1.38.3 001b.d447.6851 alias
>> > ASA1(config)#
>> > ASA1(config)# sh run | i arp
>> > arp Inside 162.1.38.8 001d.a257.53c1 alias
>> > arp Outside 162.1.38.3 001b.d447.6851 alias
>> > arp timeout 14400
>> > arp-inspection Outside enable no-flood
>> > arp-inspection Inside enable no-flood
>> > ASA1(config)# sh run | i mac
>> > mac-address-table static Outside 001b.d447.6851
>> > mac-address-table static Inside 001d.a257.53c1
>> > mac-learn Outside disable
>> > mac-learn Inside disable
>> > ASA1(config)# sh mac-add
>> > ASA1(config)# sh mac-address-table
>> > interface mac address type Age(min)
>> > ------------------------------------------------------------------
>> > Outside 001b.d447.6851 static
>> > Inside 001d.a257.53c1 static
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>
>
> --
> CCIE #19963
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Mon May 24 2010 - 22:40:55 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART