https://community.cisco.com/t5/network-security/firewall-routing/m-p/2793667#M160006 <P>You configure NAT so that&nbsp;<SPAN>200.1.1.4 &amp; 200.1.1.5 are translated to the inside IP addresses of your server.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>When the router wants to forward a packet to&nbsp;<SPAN>200.1.1.4 or 200.1.1.5 it will send an ARP query and your firewall will respond, since it has a matching NAT entry configured.</SPAN></SPAN></P> Fri, 05 Feb 2016 08:04:00 GMT Philip D'Ath 2016-02-05T08:04:00Z https://community.cisco.com/t5/network-security/firewall-routing/m-p/2793666#M160005 <P>Hi All</P> <P>I'm using a Cisco ASA 5550 firewall.</P> <P>I have an external subnet on the internet eg 200.1.1.0/24 and have that subnet routed into our network. Please see the attached diagram.</P> <P>200.1.1.2 is only used as the external facing management address of firewall A (that is all the subnet is currently used for)&nbsp;and I want to use the rest of the external subnet to access servers that sit behind Firewall B.</P> <P>The external subnet eg is on Vlan 2 and firewall B has an outside interface address of 200.1.1.3.</P> <P>I want to be able to route traffic with a destination address of 200.1.1.4 &amp; 200.1.1.5 to my internal servers.</P> <P>I will have NAT in place to translate the external addresses to the internal addresses of the servers.</P> <P>My query is mainly around how will the traffic know to go to my firewall ?</P> <P>So will traffic destined for 200.1.1.4 &amp; 200.1.1.5 be directed to the external interface on my firewall by default - will ARP just do the work or will I have to add a specific route to the router - ie saying to get to 200.1.1.4 and 200.1.1.5 go via the external interface on my firewall ?</P> <P>thanks</P> <P></P> Tue, 12 Mar 2019 07:14:34 GMT https://community.cisco.com/t5/network-security/firewall-routing/m-p/2793666#M160005 Jim Kerr 2019-03-12T07:14:34Z https://community.cisco.com/t5/network-security/firewall-routing/m-p/2793667#M160006 <P>You configure NAT so that&nbsp;<SPAN>200.1.1.4 &amp; 200.1.1.5 are translated to the inside IP addresses of your server.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>When the router wants to forward a packet to&nbsp;<SPAN>200.1.1.4 or 200.1.1.5 it will send an ARP query and your firewall will respond, since it has a matching NAT entry configured.</SPAN></SPAN></P> Fri, 05 Feb 2016 08:04:00 GMT https://community.cisco.com/t5/network-security/firewall-routing/m-p/2793667#M160006 Philip D'Ath 2016-02-05T08:04:00Z https://community.cisco.com/t5/network-security/firewall-routing/m-p/2793668#M160007 <P>Hi Jim,</P> <P>If the NAT IP and the interface IP are in the same subnet then the firewall will do the proxy arp.</P> <P>You can verify whether the interface allows the proxy arp or not by running "show run all sysopt".</P> <P>You must have the command "no sysopt noproxyarp &lt;interface name&gt;" then the interface will send the proxy arp.&nbsp;</P> <P>If the NAT IP and the interface IP are in&nbsp;different subnet then you can configure the command &nbsp;"arp permit-nonconnected"</P> <P></P> <P>Thanks,<BR />Shivapramod M<BR />Please remember to select a correct answer and rate helpful posts</P> Fri, 05 Feb 2016 08:09:59 GMT https://community.cisco.com/t5/network-security/firewall-routing/m-p/2793668#M160007 Shivapramod M 2016-02-05T08:09:59Z