# Cisco ASA mac address on Servers and Switches!!!



## murewa (Oct 18, 2011)

Hi 

I am having some challenges on my DMZ network.My servers and Cisco Switches in the DMZ are picking the mac address of the Firewall(Cisco ASA).

I have put some static arp entries on the Firewall and switches but the servers and users on the DMZ are still receiving the mac address of the Firewall.

How can i stop the Firewall from changing the mac addresses of the devices on the network.

My ASA is a 5520 and i have 2960Switches.


----------



## Wand3r3r (Sep 17, 2010)

not possible so you have to be misinterpreting the info.
you could easily confirm this by going to the server or workstation and doing a ipconfig /all then note the physical address.

if you are viewing this info in a switch and that switch is trunked with the devices on the other end of the trunk you will only get the trunk mac associated with those devices. You have to go to the switch they are connected to to get the correct mac address info.


----------



## murewa (Oct 18, 2011)

Its happening.We have been entering static arp entries daily.First we notice that our server will be failing to ping a local device on the same subnet.After checking the arp entries on the server thats when we will notice the mac address of the firewall mapped against the server ip.


----------



## Wand3r3r (Sep 17, 2010)

"We have been entering static arp entries daily"

You should not be doing that. Between that and your dns server configuration I suspect you are poisoning arp.

"How can i stop the Firewall from changing the mac addresses of the devices on the network."

You do understand mac addresses are burned into the hardware? They are not dynamic.

lets see a arp -a from the server and a workstation for review


----------



## Signify (Jan 6, 2012)

A faulty config in the asa combined with proxy-arp could generate this behaviour. If the ASA "thinks" it needs to do local proxy arp on the DMZ interface you will get the ASAs interface mac as reply to an arp request.

Normally the ASA do proxy arp by design for NAT:ed addresses. 
Example: a server on the inside, 192.168.1.10 is NATed to 10.10.10.10 on the outside. If a device on the outside interface arp request the mac for 10.10.10.10 the ASA sends it's own outside mac address as a reply.

Check your ASA config.


----------

