Information about arp inspection, Licensing requirements for arp inspection, Default settings – Cisco ASA 5505 User Manual
Page 182: Guidelines and limitations
4-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 4 Configuring the Transparent or Routed Firewall
Configuring ARP Inspection for the Transparent Firewall
Information About ARP Inspection
By default, all ARP packets are allowed through the ASA. You can control the flow of ARP packets by
enabling ARP inspection.
When you enable ARP inspection, the ASA compares the MAC address, IP address, and source interface
in all ARP packets to static entries in the ARP table, and takes the following actions:
•
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed
through.
•
If there is a mismatch between the MAC address, the IP address, or the interface, then the ASA drops
the packet.
•
If the ARP packet does not match any entries in the static ARP table, then you can set the ASA to
either forward the packet out all interfaces (flood), or to drop the packet.
Note
The dedicated management interface, if present, never floods packets even if this parameter
is set to flood.
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP
spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an
ARP request to the gateway router; the gateway router responds with the gateway router MAC address.
The attacker, however, sends another ARP response to the host with the attacker MAC address instead
of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to
the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address,
so long as the correct MAC address and the associated IP address are in the static ARP table.
Licensing Requirements for ARP Inspection
The following table shows the licensing requirements for this feature.
Default Settings
By default, all ARP packets are allowed through the ASA.
If you enable ARP inspection, the default setting is to flood non-matching packets.
Guidelines and Limitations
Context Mode Guidelines
•
Supported in single and multiple context mode.
•
In multiple context mode, configure ARP inspection within each context.
Model
License Requirement
All models
Base License.