isa 2006 & routers - how to add a static arp entry

Posted on 2012-09-10
Last Modified: 2012-10-15
hi ive been reading about isa 2006 & securing the deployment:

note:  these comments below are what i found in the above 'url' & would appreciate some advice!!

"to help protect from man-in-the-middle attacks on the address resolution protocol (arp) cache, we recommend that you place a router before the isa server computer. this is because arp packets cannot be routed through a router. when isa server shares a physical network with an untrusted network, we recommend that you configure isa server to perform static arp. for optimal security, we recommend that you add a static arp entry for the default gateway and on other hosts on the same physical network"

note: my internal network separated via isa 2006/internal (member server) is using a 'class a' address ie: 10.0.0.x/23.

note: i currently have no 'site-to site vpns'/branch offices or anything like that, as i just use isa for the firewall to protect internal domain users, although i may add a remote vpn for those users wishing to work from home, but at the moment (not added yet)

qns1.  my network is in a 'domain & (not a workgroup') so im not sure if adding a router behind the isa 2006 server is (relevant), as suggested below, until i read the (above url), but i would like to know the answer ?


regarding comments below i already have a single cisco switch for my internal lan network and at the moment i have not added the following, but not sure if this relates to (qns2) below: ?

"protect against layer 2 attacks by deploying security solutions such as layer 2 isa and static mac or port associations on switches."

int fa0/1
switchport mode access - added
portfast spanning-tree - added
switchport port-security - not added yet
switchport port-security maximum 1 - not added yet
switchport port-security mac-address xxxx.xxxx.xxxx.xxxx - not added yet as what mac ?
no shut

note: the above will obviously relate to the specific pc or server plugged in for eg


the paragraph below instructs that instead of an internal network directly connected to the isa/internal nic, i should put a (router) before the isa/internal nic & as a result i should add for optimal security 'a static arp entry for the default gateway & on other hosts & if so is the below correct ?

step 1

arp -s nnn.nnn.nnn.nnn ee-ee-ee-ee-ee-ee
(where n's are the ip address and e's are the ethernet mac address)

e.g. in a console prompt on the ISA Server, enter the following:

arp -s a3-00-92-b3-c3-33 - should this be the router interface ???


step 2.

also, if you setup static arp entries, they do not persist across reboots, so you need to put the arp commands into a batch file and run them as part of the machine's startup script. ?

note: if i add a router this would mean i would then have not 2 but 3 separate subnets ie 1 connecting the internal network to 'int fa0/0 for eg & fa0/1' connecting to isa/internal nic and 1 allocated via my 'isp' as the isa/external public ip address!!!!!!!!!!!!!!
Question by:mikey250
    LVL 35

    Assisted Solution

    "When ISA Server shares a physical network with an untrusted network"
    The definition untrusted network is the external network. I.e. you have 8 external IP addresses, they are external and shares its network with all other external addresses.
    They are taking about additional servers, which are in this 8 IP address range, not about internal addresses.

    you can use arp -a to see the actual arp table on your ISA.
    You may recognize, that the default gateway is dynamic.
    The article stated to make it static
    you can do this by
    arp -s externalGatewayIP externalMAC
    arp -s 00-12-34-AB-12-34

    In a router szenario it look like
    external - router - ISA - internal network

    in this situation, an external attacker can not compromise arp records...(as not routable)

    In direct Internet connection
    external - ISA - internal network
    In this situation, an attacker could compromise the dynamic arp record, i.e. to redirect traffic.
    In this situation, to make is static can makes sense.

    Nevertheless, in most cases you have a router to the outside world, at least you need an endpoint device between your external interface and the ISP.
    And this is usually a router.

    As I stated, the ISA default gateway points to an external address...
    Do not care at all, what is used inside.
    (As long as you do not assume an inside hacker)

    This is not quite true, at least not in this passage.
    ...instructs that instead of an internal network directly connected to the isa/internal nic...
    they are talking about "untrusted network". I can not find any part in the article, where such a instruction is given.
    For arp syntax, the above...

    Yes, a batch can help to reset it.

    Author Comment

    hi bembi, thanks for that advice!!!

    q1 - you state: '8 external ip addresses' from where ?
    LVL 35

    Accepted Solution

    Q1: This is just an example, what is ment with "untrusted network".
    If you have more than one IP address, you can add servers to these IP Addresses, which are then directly accessable over the internet.
    If you have only one IP address from your provider, only this IP (and the internet itself of course) is the "untrusted network".

    So your internal network (behind ISA) is trusted (as it is your own) and usually no reason to lock it down.  

    The only question what is left is, if there is a need to lock the external interface.
    If you have an endpoint device (router) from your provider, there is usually no need.

    Author Comment

    hi bembi,  ok thanks for that!!!!:)

    Author Closing Comment

    sound advice!!!! appreciated

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now