EasyManuals Logo
Home>Cisco>Firewall>5510 - ASA SSL / IPsec VPN Edition

Cisco 5510 - ASA SSL / IPsec VPN Edition Configuration Guide

Cisco 5510 - ASA SSL / IPsec VPN Edition
1822 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #154 background imageLoading...
Page #154 background image
5-8
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 5 Configuring the Transparent or Routed Firewall
Configuring ARP Inspection for the Transparent Firewall
Configuring ARP Inspection for the Transparent Firewall
This section describes ARP inspection and how to enable it and includes the following topics:
Information About ARP Inspection, page 5-8
Licensing Requirements for ARP Inspection, page 5-8
Default Settings, page 5-9
Guidelines and Limitations, page 5-9
Configuring ARP Inspection, page 5-9
Feature History for ARP Inspection, page 5-11
Information About ARP Inspection
By default, all ARP packets are allowed through the adaptive security appliance. You can control the
flow of ARP packets by enabling ARP inspection.
When you enable ARP inspection, the adaptive security appliance compares the MAC address, IP
address, and source interface in all ARP packets to static entries in the ARP table, and takes the
following actions:
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed
through.
If there is a mismatch between the MAC address, the IP address, or the interface, then the adaptive
security appliance drops the packet.
If the ARP packet does not match any entries in the static ARP table, then you can set the adaptive
security appliance to either forward the packet out all interfaces (flood), or to drop the packet.
Note The dedicated management interface, if present, never floods packets even if this parameter
is set to flood.
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP
spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an
ARP request to the gateway router; the gateway router responds with the gateway router MAC address.
The attacker, however, sends another ARP response to the host with the attacker MAC address instead
of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to
the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address,
so long as the correct MAC address and the associated IP address are in the static ARP table.
Licensing Requirements for ARP Inspection
The following table shows the licensing requirements for this feature.
Model License Requirement
All models Base License.

Table of Contents

Other manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Hardware Installation Guide
Hardware Installation Guide82 pages
Preview: Getting Started Guide
Getting Started Guide208 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 5510 - ASA SSL / IPsec VPN Edition and is the answer not in the manual?

Cisco 5510 - ASA SSL / IPsec VPN Edition Specifications

General IconGeneral
BrandCisco
Model5510 - ASA SSL / IPsec VPN Edition
CategoryFirewall
LanguageEnglish

Related product manuals