10-11
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter10 Configuring the Transparent or Routed Firewall
Configuring ARP Inspection for the Transparent Firewall
Firewall Mode Guidelines
Supported only in transparent firewall mode. Routed mode is not supported.
Configuring ARP Inspection
This section describes how to configure ARP inspection and includes the following topics:
Task Flow for Configuring ARP Inspection, page10-11
Adding a Static ARP Entry, page10-11
Enabling ARP Inspection, page10-12

Task Flow for Configuring ARP Inspection

To configure ARP Inspection, perform the following steps:
Step1 Add static ARP entries according to the “Adding a Static ARP Entry” section on page10-11. ARP
inspection compares ARP packets with static ARP entries in the ARP table, so static ARP entries are
required for this feature.
Step2 Enable ARP inspection according to the “Enabling ARP Inspection” section on page10-12.

Adding a Static ARP Entry

ARP inspection compares ARP packets with static ARP entries in the ARP table. Although hosts identify
a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet
MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends
an ARP request asking for the MAC address associated with the IP address, and then delivers the packet
to the MAC address according to the ARP response. The host or router keeps an ARPtable so it does not
have to send ARP requests for every packet it needs to deliver. The ARP table is dynamically updated
whenever ARP responses are sent on the network, and if an entry is not used for a period of time, it times
out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry
times out before it can be updated.
Note The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the ASA,
such as management traffic.
Detailed Steps
Step1 Choose the Configuration > Device Management > Advanced > ARP > ARP Static Table pane.
Step2 (Optional) To set the ARP timeout for dynamic ARP entries, enter a value in the ARP Timeout field.
This field sets the amount of time before the ASA rebuilds the ARP table, between 60 to 4294967
seconds. The default is 14400 seconds. Rebuilding the ARP table automatically updates new host
information and removes old host information. You might want to reduce the timeout because the host
information changes frequently.
Step3 Click Add.