https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096029#M133202 <P>Hi Dustin,</P> <P></P> <P>Any reason to turn off this feature.</P> <P></P> <P><SPAN>Proxy ARP is used when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The adaptive security appliance uses proxy ARP when you configure NAT and specify a mapped address that is on the same network as the adaptive security appliance interface. <STRONG>The only way traffic can reach the hosts is if the adaptive security appliance uses proxy ARP to claim that the adaptive security appliance MAC address is assigned to destination mapped addresses.</STRONG></SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/route_overview.html#wp1106863</SPAN></P> <P><SPAN></SPAN></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Thu, 17 Aug 2017 11:18:55 GMT Aditya Ganjoo 2017-08-17T11:18:55Z https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096028#M133200 <P>I have an ASA interface in which Proxy Arp is still enabled for some reason. If I turn this off for this interface, will there be any type of down time for resources or blips when this is done?</P> Tue, 12 Mar 2019 09:50:18 GMT https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096028#M133200 Dustin Flint 2019-03-12T09:50:18Z https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096029#M133202 <P>Hi Dustin,</P> <P></P> <P>Any reason to turn off this feature.</P> <P></P> <P><SPAN>Proxy ARP is used when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The adaptive security appliance uses proxy ARP when you configure NAT and specify a mapped address that is on the same network as the adaptive security appliance interface. <STRONG>The only way traffic can reach the hosts is if the adaptive security appliance uses proxy ARP to claim that the adaptive security appliance MAC address is assigned to destination mapped addresses.</STRONG></SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/route_overview.html#wp1106863</SPAN></P> <P><SPAN></SPAN></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Thu, 17 Aug 2017 11:18:55 GMT https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096029#M133202 Aditya Ganjoo 2017-08-17T11:18:55Z https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096030#M133203 <P>Yes, proxy arp has caused problems for us in the past. It mainly causes problems when trying to reach devices.</P> <P>For example, I have an ME3800 switch I cant reach via ssh. I could 2 weeks go, up until I put another switch in, then I could no longer reach the 3800. They have different ip addresses, but when you do an arp lookup, they both show as having the same arp address. This has caused us huge problems in the past, especially in our virtual environment.</P> <P></P> <P>Also, most engineers I have talked to said if proxy arp is on by default when ever they are deploying new equipmnet, the first thing they do is turn it off.</P> Thu, 17 Aug 2017 11:43:23 GMT https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096030#M133203 Dustin Flint 2017-08-17T11:43:23Z https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096031#M133204 <P>Hi,</P> <P></P> <P>If that's the issue you can turn off the proxy-arp on that interface.</P> <P></P> <P>Also, the switch you were not able to reach through SSH, does it have any NAT on the ASA?</P> <P></P> <P>If yes, you can disable proxy-arp on the particular NAT statement.</P> <P></P> <P></P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Thu, 17 Aug 2017 14:01:40 GMT https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096031#M133204 Aditya Ganjoo 2017-08-17T14:01:40Z https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096032#M133205 <P>I dont need NAT on the interface for switch I am going too. I am trying to reach via the local subnet, so the traffic shouldnt pass through firewall. Thats where the problem of the firewall interface showing as the arp address for that device comes into play.</P> Thu, 17 Aug 2017 14:04:44 GMT https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096032#M133205 Dustin Flint 2017-08-17T14:04:44Z https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096033#M133206 <P>Hi,</P> <P></P> <P>In that case, you can turn off this feature.</P> <P></P> <P>Just to emphasize the role of Proxy-ARP on ASA:</P> <P></P> <P>When you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (<G class="gr_ gr_408 gr-alert gr_gramm gr_inline_cards gr_run_anim Style replaceWithoutSep" id="408" data-gr-id="408">DMZ,inside</G>) for example. The moment you disable proxy arp, the firewall will stop proxy-<G class="gr_ gr_285 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" id="285" data-gr-id="285">arping</G> for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.</P> <P></P> <P>Reference:</P> <P>https://supportforums.cisco.com/discussion/10942001/cisco-asa-arp-poison</P> <P></P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Thu, 17 Aug 2017 14:38:15 GMT https://community.cisco.com/t5/network-security/disbling-proxy-arp/m-p/3096033#M133206 Aditya Ganjoo 2017-08-17T14:38:15Z