2.2 Ensure 'noproxyarp' is enabled for untrusted interfaces

Information

Disables the Proxy-ARP function on untrusted interfaces

Rationale:

The ASA replies to ARP requests performed to IP addresses belonging to its interfaces' subnets and also to global IP addresses in some NAT configurations. Where the appliance is not asked to be a proxy for ARP requests, the Proxy-ARP function should be disabled especially on untrusted interfaces since attackers can act as legitimate devices by spoofing their IP addresses, perform ARP requests thus receiving packets intended to them.

Solution

Step 1: Acquire the name of the untrusted interface <untrusted_interface_name>

Step 2: Run the following command to disable the Proxy-ARP on the untrusted interface.

hostname(config)# sysopt noproxyarp <untrusted_interface_name>

Default Value:

Proxy-ARP is enabled by default

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-2(1), 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, CSCv7|11.1

Plugin: Cisco

Control ID: 1c12735824fc1679c2b864dfadac5a0cfc531381d457c93ce9fec1f21fa9f486