1. Objective
In this tutorial will explain you how to fix the issue when one mac address of Cisco ASA firewall is mapped to many IP addresses in the ARP table.
2. Problem Description
There is one Cisco ASA firewall running IOS version 9.x connect to the internet. The public IP on the outside interface of Cisco ASA firewall is 117.100.100.0/29.
The Mac address of the outside interface on Cisco ASA firewall is mapped to all of the public IP addresses in ISP router the ARP table and make connection loss from Cisco ASA firewall to ISP router. This is what we called ARP Poisoning or ARP spoofing.
Internet 117.100.100.1 82 00f6.6397.50c3 ARPA TenGigabitEthernet1/1/0.525 Internet 117.100.100.2 32 00f6.6397.50c3 ARPA TenGigabitEthernet1/1/0.525 Internet 117.100.100.3 4 00f6.6397.50c3 ARPA TenGigabitEthernet1/1/0.525 Internet 117.100.100.4 3 00f6.6397.50c3 ARPA TenGigabitEthernet1/1/0.525 Internet 117.100.100.5 3 00f6.6397.50c3 ARPA TenGigabitEthernet1/1/0.525 Internet 117.100.100.6 73 00f6.6397.50c5 ARPA TenGigabitEthernet1/1/0.525
3. Problem Resolution
To fixed is problem we need disable the Proxy ARP on the outside interface of the Cisco ASA firewall. Proxy ARP is enabled by default on Cisco ASA firewall. So, to disable it, we need to execute the following command.
# sysopt noproxyarp outside
To prevent this problem to happen in the inside LAN network, we should disable the Proxy ARP on the inside interface too.
# sysopt noproxyarp inside # show runn sysopt sysopt noproxyarp outside sysopt noproxyarp inside
