
ããã«ã¡ã¯HabrïŒ ãã®èšäºã®åã®éšåã§ã¯ã NATã«ãŒã«ãšãããã·ARPæ©èœã«é¢é£ããCiscoã«ãŒã¿ãŒã®ARPã®æ©èœã調ã¹ãŸããã ãã®æçš¿ã§ã¯ãCiscoã«ãŒã¿ãŒãšCisco ASAãã¡ã€ã¢ãŠã©ãŒã«ã®ARPã®éããæããã«ããããšããŸãã èšäºã®æåŸã§ãARPã®äœæ¥ã«é¢é£ããå®è·µã®èå³æ·±ãäºäŸãããã€ã玹ä»ããŸãã
Cisco ASAãã¡ã€ã¢ãŠã©ãŒã«ã®NATããã³ãããã·ARP
NATã«ãŒã«ã®ARPããã³ãããã·ARPèšå®ã«å¯ŸããCisco ASAãã¡ã€ã¢ãŠã©ãŒã«ã®åäœã¯ãCiscoã«ãŒã¿ãŒãšã¯ç°ãªããŸãã ããã©ã«ãã§ã¯ãCisco ASAã§NATã«ãŒã«ãèšå®ãããšãããã€ã¹ã¯NATã«ãŒã«ã®å éšã°ããŒãã«ã¢ãã¬ã¹ã«äžèŽããARPèŠæ±ã«å¿çããŸãã ãã ãããã®åäœã¯ASAã€ã³ã¿ãŒãã§ã€ã¹IPãµããããã®å éšã°ããŒãã«IPã¢ãã¬ã¹ã®æææš©ã«äŸåããŸããã ãã®åäœã«ããã sysopt noproxyarp <interface name>ãªãã·ã§ã³ãæ§æãããŸãã
次ã®åçŽãªããããžã«åºã¥ããäŸãæ€èšããŠãã ããã

Cisco ASAã€ã³ã¿ãŒãã§ã€ã¹èšå®ïŒ
interface Vlan1 nameif inside security-level 100 ip address 192.168.20.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 198.18.0.1 255.255.255.0
å€éšã€ã³ã¿ãŒãã§ã€ã¹ã®NATã«ãŒã«ãšã¢ã¯ã»ã¹ãªã¹ãã®èšå®ïŒ
object network TEST-PC-tcp3389 host 192.168.20.5 nat (inside,outside) static 198.18.99.2 service tcp 3389 3389 access-list acl-outside-in extended permit tcp any object TEST-PC-tcp3389 eq 3389 access-group acl-outside-in in interface outside
æ瀺ãããèšå®ãããããããã«ãCisco ASAã€ã³ã¿ãŒãã§ã€ã¹ã®IPãµããããã«å±ããªãã¢ãã¬ã¹198.18.99.2ã®äžã§tcp 3389ïŒRDPïŒããŒããå ¬éããŸãã
sysopt noproxyarpãªãã·ã§ã³ã確èªããŸãã
asa# sh run all sysopt . . . no sysopt noproxyarp inside no sysopt noproxyarp outside
ãªãã·ã§ã³ãèšå®ãããŠããªãïŒnoproxyarpãæå¹ã«ãªã£ãŠããªãïŒããšãããããŸãã ã¢ãã¬ã¹198.18.99.2ã®tcpããŒã3389ãéããŠãåæã«ã¹ããã¡ãŒãèŠãŠã¿ãŸãããã

æåïŒCisco ASAã¯ARPèŠæ±ã«å¿çããããŒããéããŸãã
sysopt noproxyarp outsideãªãã·ã§ã³ãèšå®ããŠã¿ãŸãããã å€éšã€ã³ã¿ãŒãã§ã€ã¹ã«æ¥ç¶ãããŠããã³ã³ãã¥ãŒã¿ãŒã®ã¢ãŒã¯ãã£ãã·ã¥ãã¯ãªã¢ããããŒããå床éãããšããŸãã


ASAã¯ãå®å IPã¢ãã¬ã¹ãžã®ARPèŠæ±ã«å¿çããªããªããŸããã ãã ããå®å IPã¢ãã¬ã¹ãASAã€ã³ã¿ãŒãã§ã€ã¹ã®IPãµããããã«ãããã©ããã¯é¢ä¿ãããŸããã sysoptãªãã·ã§ã³ãèšå®ãããšãnoproxyarp ASAã¯ã€ã³ã¿ãŒãã§ã€ã¹IPã¢ãã¬ã¹ã®ã¿ã«ã¢ãã¬ã¹æå®ãããARPèŠæ±ã«å¿çããŸãã
ã«ãŒã¿ã®ip proxy-arpã€ã³ã¿ãŒãã§ã€ã¹ã®èšå®ãšsysopt noproxyarp Cisco ASAãªãã·ã§ã³ã®èšå®ãæ¯èŒããªãã§ãã ããã Cisco ASAãªãã·ã§ã³ã«ã¯ããã¡ã€ã¢ãŠã©ãŒã«ãä»ããARPèŠæ±ã®ãããã·ã¯å«ãŸããŸããã ãã®ãªãã·ã§ã³ã¯ãNATã«ãŒã«ã®å éšã°ããŒãã«IPã¢ãã¬ã¹ãšã aliasããŒã¯ãŒãã䜿çšããŠèšå®ãããASA ARPããŒãã«ã®éçãšã³ããªã®æäŸã®ã¿ãæ åœããŸãã
ASAã®ã»ã«ã³ããªIPã¢ãã¬ã¹
å Žåã«ãã£ãŠã¯ãç¹å®ã®NATã«ãŒã«ã«å¯ŸããŠARPå¿çæ©èœãç¡å¹ã«ããå¿ èŠããããŸãã ãããè¡ãã«ã¯ãNATèšå®ã§no-proxy-arpããŒã¯ãŒãã䜿çšããŸãã æãäžè¬çãªäŸã¯ãCisco ASAã§VPNã䜿çšãããšãã«NATäŸå€ãèšå®ããããšã§ãã Cisco ASAã®èåŸã®ããŒã«ã«ãšãªã¢ãããã¯ãŒã¯ã192.168.20.0/24ã§ããããµã€ãéVPNã®ãªã¢ãŒãåŽã®ããŒã«ã«ãšãªã¢ãããã¯ãŒã¯ã192.168.30.0/24ã§ãããšããŸãã ãã®VPNã®NATäŸå€ã¯ã次ã®ããã«æ§æã§ããŸãã
object network local-LAN subnet 192.168.20.0 255.255.255.0 object network remote-LAN subnet 192.168.30.0 255.255.255.0 nat (any,any) source static local-LAN local-LAN destination static remote-LAN remote-LAN
ããã«ç€ºãããŠããèšå®ã¯ãããŒã«ã«LAN 192.168.20.0/24 IPãµããããããåãããŒã«ã«LAN IPãµããããã®å éšã°ããŒãã«ã¢ãã¬ã¹ã®äžã§ãåCisco ASAïŒNATã«ãŒã«ã®ä»»æãä»»æïŒã§å®å šã«å ¬éãããŠããããšãCisco ASAã«ç€ºããŸãã ãããã£ãŠããã®èšå®ã§ã¯ãCisco ASAã¯ãå éšã€ã³ã¿ãŒãã§ã€ã¹ãå«ãä»»æã®ã€ã³ã¿ãŒãã§ã€ã¹ã§åä¿¡ããIPãµãããã192.168.20.0/24ããã®ã¿ãŒã²ããIPã¢ãã¬ã¹ãžã®ARPèŠæ±ã«å¿çããŸãã
ã¢ãã¬ã¹192.168.20.5ã®ãã¹ãããã¢ãã¬ã¹192.168.20.6ã®åãIPãµãããããããã¹ãã«ã¢ã¯ã»ã¹ãããç¶æ³ãæ³åããŠãã ããã ã¿ãŒã²ããã¢ãã¬ã¹192.168.20.6ã«å¯ŸããŠARPèŠæ±ãçæãããŸãã ARPèŠæ±ã¯ãããŒããã£ã¹ããããã¿ãŒã²ãããã¹ããšCisco ASAã€ã³ã¿ãŒãã§ã€ã¹ã®å éšã®äž¡æ¹ã«å°éããŸãã èšå®ãããNATã«ãŒã«ã«ãããCisco ASAã¯MACã¢ãã¬ã¹ã§ARPèŠæ±ã«å¿çããŸãã Cisco ASAããã®ARPå¿çãã¿ãŒã²ãããã¹ãããã®å¿çã®åã«å°çãããšãã¿ãŒã²ãããã¹ãã«åãããããã¹ãŠã®ãã©ãã£ãã¯ã¯Cisco ASAã«éãããããã§å®å šã«ãããããããŸãã
æ瀺ãããäŸã§ã¯ãCisco ASAã¯ããŒã«ã«IPãµããããã®ããã©ãã¯ããŒã«ããšããŠæ©èœãããã¹ãŠã®ãã©ãã£ãã¯ãèªèº«ã«ãåžã蟌ã¿ããŸãã åæã«ãããªã·ãŒNATèŠçŽ ïŒ destinationséçããŒã¯ãŒãã®åŸã«ââNATãèšå®ããïŒã¯ç¶æ³ãä¿åããŸããã ã«ãŒã¿ãšæ¯èŒããŠãCisco ASAã§ã®ãã®èšå®ã¯ãã«ãŒã¿ã€ã³ã¿ãŒãã§ã€ã¹ã§ã®ip proxy-arpãšip local-proxy-arpã®å ±åèšå®ãšäºå®äžäŒŒãŠããŸãã ãã®åœ±é¿ãåé¿ããã«ã¯ãCisco ASAã®NATã«ãŒã«ã«no-proxy-arpããŒã¯ãŒããè¿œå ããŸãã
nat (any,any) source static local-LAN local-LAN destination static remote-LAN remote-LAN no-proxy-arp
泚 ïŒèª¬æãããŠããå¹æã¯ãããŒã¯ãŒãã§ã¯ãªããNATã«ãŒã«èšå®ã§æ£ç¢ºãªã€ã³ã¿ãŒãã§ã€ã¹ãæå®ããããšã§åé¿ã§ããŸãã ããšãã°ãnatïŒinsideãoutsideïŒ...
ãŸãšã
å®è·µããäºäŸã®èª¬æã«é²ãåã«ãèšäºã®ç¬¬2éšã®äž»èŠãªãã€ã³ãã匷調ããŸãã
- ããã©ã«ãã§ã¯ãCisco ASAã¯ãã€ã³ã¿ãŒãã§ã€ã¹IPãµãããããå±ããŠãããã©ããã«é¢ä¿ãªããNATã«ãŒã«ã®å éšã°ããŒãã«IPã¢ãã¬ã¹ãžã®ARPèŠæ±ã«å¿çããŸãã ãã®åäœã¯ã sysopt noproxyarp <interface name>ãªãã·ã§ã³ãèšå®ããããšã«ããå¶åŸ¡ãããŸãã
- Cisco ASAã§ã¯ã no-proxy-arpããŒã¯ãŒãã䜿çšããŠãç¹å®ã®NATã«ãŒã«ã®ARPå¿çãç¡å¹ã«ã§ããŸãã ç¹ã«ãNATäŸå€ã«ãŒã«ã®å ŽåãããŒã«ã«ãããã¯ãŒã¯ã§ã®éä¿¡ã®åé¡ãåé¿ããããã«ãARPå¿çãç¡å¹ã«ããå¿ èŠããããŸãã
- ãããã·ARPæ©èœã¯Cisco ASAã§æ瀺çã«èšå®ãããŠããŸããããNATã«ãŒã«ã䜿çšããŠå¿ èŠãªå¹æãéæã§ããŸãã
ã ãããç·Žç¿ããã®ã±ãŒã¹ã 説æããåé¡ã¯ãã¹ãŠãç§ãŸãã¯ååãæ°ããã·ã¹ã³ã®ãããã¯ãŒã¯æ©åšãã€ã³ã¿ãŒããããããã€ããŒã«æ¥ç¶ãããšãã«çºçããããšãããã«èšããªããã°ãªããŸããã ç§ãã¡ã®çµéšã§ã¯ãARPã®åé¡ã䌎ãããšãæãå€ãã®ã¯ãã®ã·ããªãªã§ãã
ã±ãŒã¹çªå·1ã ã»ã«ã³ããªãããã€ããŒã®IPã¢ãã¬ã¹
Cisco ASAãã¡ã€ã¢ãŠã©ãŒã«ããããã€ããŒã«æ¥ç¶ããŸããã æ¥ç¶ãæåãããã¹ãŠã®ãµãŒãã¹ãæ£åžžã«æ©èœããŸããã ãã ãããã°ãããããšãæ¥ç¶ã倱ãããŸããã 詳现ãªåæã«ãããšãçºä¿¡æ¥ç¶ãéå§ãããšãå®å®ããŠåäœããŸãïŒãã©ãã£ãã¯ã¯äž¡æ¹åã«è¡ããŸãïŒã ãã®åé¡ã¯ãã€ã³ã¿ãŒãããããã®çä¿¡æ¥ç¶ïŒã«ãŒã¿ãŒãžã®ãªã¢ãŒãæ¥ç¶ãªã©ïŒã§ã®ã¿çºçããŸãã ãã®å Žåãçä¿¡æ¥ç¶ã®çºä¿¡ãžã®çŽæ¥ã®äŸåé¢ä¿ã远跡ãããŸããçºä¿¡æ¥ç¶ãããå Žåãçä¿¡æ¥ç¶ã¯æ£ããæ©èœãå§ããŸãã ãã ãããã°ãããããšããªã¢ãŒãããæ¥ç¶ããããã€ã³ã¿ãŒãããããããã€ã¹ããpingãããããšã¯ã§ããªããªããŸãã
ç©çå±€ãšãªã³ã¯å±€ã¯ãããã倧äžå€«ãªã®ã§ãARPã®åäœã確èªãå§ããŸããã ASAã§debug arpãèµ·åããarp-cacheãã¯ãªã¢ããããšããŸããã ãããã°ã¡ãã»ãŒãžãããASAã¯åé¡ãªãARPèŠæ±ãæ£ããéä¿¡ãããããã€ããŒããARPå¿çãåä¿¡ããããšãããããŸããã ãã®äŸã§ã¯ãASAã®IPã¯80.XX4ãMACã¢ãã¬ã¹ã¯a0ecã****ã****ããããã€ããŒ80.XX1ã®IPã¢ãã¬ã¹ããããã€ããŒaa43ã®MACã²ãŒããŠã§ã€ã§ãã****ã****ïŒ
arp-send: arp request built from 80.XX4 a0ec.****.**** for 80.XX1 at 978772020 arp-refresh: Trying to refresh ARP for outside 80.XX1 arp-in: response at outside from 80.XX1 aa43.****.**** for 80.XX4 a0ec.****.**** having smac aa43.****.**** dmac a0ec.****.****\narp-set: added arp outside 80.XX1 aa43.****.**** and updating NPs at 978772020 arp-in: resp from 80.XX1 for 80.XX4 on outside at 978772020
ãã ãããã°ããããŠãASAã®debug arpã«ã¡ãã»ãŒãžã衚瀺ãããŸããã
arp-in: request at outside from 195.YY1 aa43.****.**** for 80.XX4 0000.0000.0000 having smac aa43.****.**** dmac ffff.ffff.ffff\narp-in: Arp packet received from 195.YY1 which is in different subnet than the connected interface 80.XX4/255.255.255.0
ãã®ã¡ãã»ãŒãžããå€æãããšãASAã¯æå¹ãªéä¿¡è MACã¢ãã¬ã¹aa43ãæã€ARPèŠæ±ãåä¿¡ããŸã****ã****ãç¡å¹ãªéä¿¡è IPã¢ãã¬ã¹-195.YY1ã ãã®ç¡å¹ãªASP ARPèŠæ±ã¯ç Žæ£ãããARPå¿çã¯éä¿¡ãããŸããã
ãããã£ãŠãçºä¿¡ãã©ãã£ãã¯ãååšããå ŽåãASAã¯ãããã€ããŒã«ARPèŠæ±ãéä¿¡ãïŒå¿ èŠã«å¿ããŠãASA ARPããŒãã«ã®é©åãªãšã³ããªã®æŽæ°ãå¿ èŠãªå ŽåïŒãARPå¿çãåä¿¡ããŸãã ASAããã®ARPèŠæ±ã®ãããã§ããããã€ããŒã®æ©åšãARPããŒãã«ã§ASAã¬ã³ãŒããåä¿¡ããŸãã ãã ããASAããã®çºä¿¡ãã©ãã£ãã¯ãé·æéãªããASAãARPèŠæ±ãéä¿¡ããªãå ŽåãASAã«é¢ããã¬ã³ãŒãã¯ãARPããŒãã«ã®ãããã€ããŒã®æ©åšã§æéåãã«ãªããŸãã ãããã€ããŒæ©åšã¯ãARPèŠæ±ãéä¿¡ããŠã¬ã³ãŒããæŽæ°ããããšããŸãããå¿çãåä¿¡ããŸããã ãããããã³ãã¥ãã±ãŒã·ã§ã³ã«é¢ãããæµ®éãåé¡ãçŸããŸãã
ãããã€ããŒã®æ©åšãééã£ãéä¿¡è IPã¢ãã¬ã¹ã§ARPèŠæ±ãéä¿¡ããçç±ãç解ããããšã¯æ®ã£ãŠããŸãã åŸã§ããããã€ããŒã¯ãã®ç¶æ³ã確èªããARPãã©ãã£ãã¯ã®ãã³ãã衚瀺ããASAãããã°ã¡ãã»ãŒãžã確èªããŸããã
324: 22:03:41.056546 802.1Q vlan#2 P0 arp who-has 80.XX4 tell 195.YY1 325: 22:03:41.937329 802.1Q vlan#2 P0 arp who-has 80.XX4 tell 195.YY1 326: 22:03:42.822909 802.1Q vlan#2 P0 arp who-has 80.XX4 tell 195.YY1
ãããã€ããŒã®ã€ã³ã¿ãŒãã§ãŒã¹ã§ã¯ãã¢ãã¬ã¹195.YY1ããã©ã€ããªãšããŠæ§æãããIPã¢ãã¬ã¹80.XX4ïŒããã©ã«ãã²ãŒããŠã§ã€ïŒãã»ã«ã³ããªãšããŠæ§æãããŠããããšãå€æããŸããã ãã®èšå®ã¯ç¶æ³ãå®å šã«èª¬æããŸããã ãã®å Žåããããã€ããŒã®æ©åšã«éçARPã¬ã³ãŒããè¿œå ããããšã§åé¡ã解決ããŸããã
ã·ã¹ã³ã®ã«ãŒã¿ãŒã䜿çšããŠãããã€ããŒã«æ¥ç¶ãããšããå¥ã®ãµã€ãã§ããŸã£ããåãç¶æ³ãçºçããŸããã ãããã€ããŒã®æ©åšã§ã¯ãã²ãŒããŠã§ã€ã¯äºæ¬¡IPã¢ãã¬ã¹ãšããŠãæ§æãããŸããã ãã®å Žåãåé¡ã解決ããããã»ã¹ãé«éåããããã«ããããã€ããŒã®ã€ã³ã¿ãŒãã§ã€ã¹ã®ãã©ã€ããªIPã¢ãã¬ã¹ãšåããµããããããã«ãŒã¿ãŒã«ã»ã«ã³ããªIPã¢ãã¬ã¹ãè¿œå ããŸããã ãã®åŸãã«ãŒã¿ãŒã¯ãããã€ããŒããã®ARPèŠæ±ã«æ£åžžã«å¿çãå§ããŸãããARPèŠæ±ã®ã¢ãã¬ã¹ãšåããµããããããã®IPã¢ãã¬ã¹ãã€ã³ã¿ãŒãã§ã€ã¹ã«è¡šç€ºãããããã§ãã
ã±ãŒã¹çªå·2ã ARPã®éäºææ§
ãªãã£ã¹ã®1ã€ã§ãCisco ISRãCisco ASAãã¡ã€ã¢ãŠã©ãŒã«ã«çœ®ãæããäœæ¥ãè¡ããŸããã ASAãã¡ã€ã¢ãŠã©ãŒã«ã¯äºåèšå®ãããã€ã³ã¹ããŒã«ãã€ã³ãã«éä¿¡ãããŸããã ãããã€ããŒã«æ¥ç¶ããåŸãCisco ASAã¯ãªã¢ãŒãæ¥ç¶ã«äœ¿çšã§ããªãããšãå€æããŸããã äžèŠãããšãããã€ã¹äžã§ãã¹ãŠãæ£åžžã«æ©èœããŸããã ASAãã¡ã€ã¢ãŠã©ãŒã«ã¯ãæšæºã®ARPèŠæ±/ ARPå¿çæé ã䜿çšããŠããããã€ããŒã®ã«ãŒã¿ãŒã®MACã¢ãã¬ã¹ãæ£ãã決å®ããŸããã ãã±ãããã€ã³ã¿ãŒãããäžã®ããã€ã¹ã®å€éšã€ã³ã¿ãŒãã§ã€ã¹ãé¢ããŸããã åæã«ãASAã«ã¯å察æ¹åã«äœãæ¥ãŸããã§ããã ãã®äºå®ã¯ãçµã¿èŸŒã¿ã®ãã±ãããã£ããã£ããŒã«ã«ãã£ãŠèšé²ãããŸããã
ãããã€ããŒã«é£çµ¡ããåŸãASAããã®ãã±ããããããã€ããŒã®æ©åšã«æ£åžžã«é ä¿¡ãããããšããããããããã€ããŒã¯ã¢ããã¹ããªãŒã æ©åšããã®å¿çãã±ããã確èªââããŸããã ã«ãŒã¿ãŒãåæ¥ç¶ãããåŸããã©ãã£ãã¯ã¯åã³äž¡æ¹åã«æ£ãã移åãå§ããŸããã ããã¯ãåé¡ããããã€ããŒãšASAãã¡ã€ã¢ãŠã©ãŒã«ã®æ¥åéšã®ã©ããã«ããããšãæå³ããŠããŸããã åé¡ã®è©³çŽ°ãªèª¬æããããã€ããŒã«åé£çµ¡ããåŸããããã€ããŒã®æ©åšã«ASAãã¡ã€ã¢ãŠã©ãŒã«MACã¢ãã¬ã¹ã衚瀺ãããŠããªããšå€æãããŸããã çµã¿ç«ãŠããããã¢ã¹ã¿ã³ãã¯ãASAã®æ£ããåäœã蚌æããŸããïŒãããã€ããŒã®åœ¹å²ã¯Ciscoã«ãŒã¿ãŒã«ãã£ãŠæããããŸããïŒã äœããã®çç±ã§ããããã€ããŒã®ããã€ã¹ã¯ãASAããARPå¿çãåä¿¡ããåŸãARPããŒãã«ã«ASAãèšé²ããŸããã§ããã æãèå³æ·±ãããšã«ãCisco ASAããã®ARPèŠæ±ã¯ç Žæ£ãããŸããã§ããã ãããã€ããŒã®æ©åšã¯ãASAããã®ARPèŠæ±ã«æ£ããå¿çããŸããããARPããŒãã«ã«ASAã¬ã³ãŒããå ¥åããŸããã§ããã
ãã®çµæããããã€ããŒã¯ãARPããŒãã«ã«éçãã€ã³ãã£ã³ã°ãäœæããããã«æ±ããããŸããã ãã®ã±ãŒã¹ã§ã¯ããããã€ããŒã®æ©åšãšCisco ASAãã¡ã€ã¢ãŠã©ãŒã«ã®ARPã®éäºææ§ã瀺ãããŸããã æ®å¿µãªããããããã€ããŒã¯æ©åšã®è£œé å ãçºè¡šããŸããã§ããã
ã±ãŒã¹çªå·3ã ç¡åã®ã¢ã«ã
ãããŠåã³ãCisco ASAãããã€ããŒã«æ¥ç¶ããŸãã ä»åã¯MS TMGãµãŒããŒã®ä»£ããã«ã ãã®ã±ãŒã¹ã®ç¹åŸŽã¯ãMS TMGãL2ã¹ã€ãããä»ããŠãããã€ããŒã®ããã€ã¹ã«æ¥ç¶ãããŠããããšã§ãã L2ã¹ã€ãããä»ããŠASAãæ¥ç¶ããããšãæ³å®ãããŠããŸããã

ãããã£ãŠãMS TMGãåæãã代ããã«L2ã¹ã€ããã®åãããŒãã§Cisco ASAãæ¥ç¶ããŸãã æšæºçãªç¶æ³ãèŠãããŸãããã©ãã£ãã¯ã¯å€éšCisco ASAããŒããé¢ããŸãããå¿çãã±ããã¯ãããŸããã ãããã€ããŒã«é£çµ¡ããåŸããããã€ããŒã®æ©åšã¯ãCisco ASAã«æž¡ãããIPã¢ãã¬ã¹ã®èåŸã«ããMS TMGãµãŒããŒã®MACã¢ãã¬ã¹ããŸã èªèããŠããããšãããããŸããã
ãããªã調æ»ã®çµæãCisco ASAãã¡ã€ã¢ãŠã©ãŒã«ã¯ãã€ã³ã¿ãŒãã§ã€ã¹ãDOWNç¶æ ããUPç¶æ ã«ç§»è¡ãããšãã«Gratuitous ARPã¡ãã»ãŒãžãéä¿¡ããªãããšãæããã«ãªããŸããã ãŸãããããã€ããŒã®æ©åšã¯L2ã¹ã€ãããä»ããŠæ¥ç¶ãããŠããããããã¡ãåŽã§ããã€ã¹ãå€æŽããŠãããããã€ããŒãžã®ãã£ãã«ã¯èœã¡ãããããã€ããŒã®ã«ãŒã¿ãŒã®ã€ã³ã¿ãŒãã§ã€ã¹ã¯åžžã«ãªã³ã®ãŸãŸã§ãã ããã€ã¹ãšMACã¢ãã¬ã¹ãå€æŽãããããšãã¿ã€ã ãªãŒã«ãããã€ããŒã«éç¥ããå¯äžã®æ¹æ³ã¯ãGratuitous ARPã§ãã ãã以å€ã®å Žåã¯ããããã€ããŒããã®ARPã¬ã³ãŒãã®ã¿ã€ã ã¢ãŠããåŸ ã€å¿ èŠããããããã¯éåžž4æéã§ãã
ãã®å ŽåãCisco ASAã€ã³ã¿ãŒãã§ã€ã¹ã§no ip addressãip address xxxx yyyyã³ãã³ããå®è¡ããåŸãASAã¯Gratuitous ARPãéä¿¡ãããã¹ãŠãé¢éžããŸããã
ãããã«
ãã®2éšæ§æã®èšäºã§ã¯ããããã¯ãŒã¯ã¢ãã¬ã¹å€æïŒNATïŒãšãããã·ARPæ©èœã䜿çšããå Žåã®ã·ã¹ã³æ©åšã®ARPã®è€éããæ€èšããããšããŸããã Ciscoã«ãŒã¿ãŒãšCisco ASAãã¡ã€ã¢ãŠã©ãŒã«éã®ARPã®éããç解ããŸããã èšäºã®æåŸã§ãARPã®åäœã«ãããã€ã³ã¿ãŒããããããã€ããŒã«æ¥ç¶ãããšãã«çºçããåé¡ã調ã¹ãŸããã
説æãããŠããã±ãŒã¹ã¯ããããã¯ãŒã¯ã®åé¡ã解決ããã³é€å»ããããã»ã¹ã§ARPããã§ãã¯ããå¿ èŠæ§ãèŠããããšãããã«éèŠã§ãããã瀺ããŠããŸãã ãã®èšäºãARPã®åäœãããæ·±ãç解ããã®ã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
ã³ã¡ã³ããåŸ ã£ãŠããŸãã ãã¶ã誰ããARPã®ä»äºã«é¢é£ããèªåèªèº«ã®èå³æ·±ãã±ãŒã¹ãäŒããããšãã§ããŸãã