2.2 Ensure 'noproxyarp' is enabled for untrusted interfaces

Information

Disables the Proxy-ARP function on untrusted interfaces

Rationale:

The ASA replies to ARP requests performed to IP addresses belonging to its interfaces' subnets and also to global IP addresses in some NAT configurations. Where the appliance is not asked to be a proxy for ARP requests, the Proxy-ARP function should be disabled especially on untrusted interfaces since attackers can act as legitimate devices by spoofing their IP addresses, perform ARP requests thus receiving packets intended to them.

Solution

* Step 1: Acquire the name of the untrusted interface <untrusted_interface_name>
* Step 2: Run the following command to disable the Proxy-ARP on the untrusted interface.

HOSTNAME(CONFIG)# SYSOPT NOPROXYARP _<untrusted_interface_name> _

See Also

https://workbench.cisecurity.org/files/1903

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6

Plugin: Cisco

Control ID: 457127c98adf688f6b2ce98e26125b6499382f10730c954d367707887b08ab10