https://community.cisco.com/t5/network-security/proxyarp/m-p/2834909#M174486 <P>Hi.</P> <P>Proxy ARP is enabled for your nat statements.</P> <P>please add "no-proxy-arp route-lookup" keywords at the end of these statements.</P> <P>Regards,</P> <P>Akshay Rastogi</P> <P>Remember to rate helpful posts.</P> <P></P> <P></P> Sat, 28 Nov 2015 15:41:18 GMT Akshay Rastogi 2015-11-28T15:41:18Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834908#M174485 <P>Hi,</P> <P></P> <P>As in&nbsp; the picture &nbsp;attached &nbsp;ASA dmz&nbsp; also replying&nbsp; the ARP request. And the host 1 update arp cache with the&nbsp; ASA interface mac address .</P> <P>This stops the communication between HOST 1 and&nbsp; HOST 2 .</P> <P>How can i solve this issue ?</P> <P>&nbsp;</P> <P><SPAN>other related configuration for the proxyarp</SPAN></P> <P>&nbsp;</P> <P>no sysopt noproxyarp Outside</P> <P>no sysopt noproxyarp DMZ</P> <P>no sysopt noproxyarp Inside</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>object network DMZ-Network</P> <P>subnet 172.16.20.0 255.255.255.0</P> <P>&nbsp;</P> <P><SPAN>no proxyarp configured in the below statement</SPAN></P> <P>&nbsp;</P> <P>nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLSALES&nbsp;&nbsp; VPN-POOLSALES</P> <P>nat (DMZ,any) source static DMZ-Network DMZ-Network destination static&nbsp; VPN-POOLEMP VPN-POOLEMP</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thank you</P> Tue, 12 Mar 2019 06:57:35 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834908#M174485 bluesea2010 2019-03-12T06:57:35Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834909#M174486 <P>Hi.</P> <P>Proxy ARP is enabled for your nat statements.</P> <P>please add "no-proxy-arp route-lookup" keywords at the end of these statements.</P> <P>Regards,</P> <P>Akshay Rastogi</P> <P>Remember to rate helpful posts.</P> <P></P> <P></P> Sat, 28 Nov 2015 15:41:18 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834909#M174486 Akshay Rastogi 2015-11-28T15:41:18Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834910#M174487 <P>Hi,</P> <P>How does the &nbsp;below &nbsp;statement&nbsp;casue a problem&nbsp;</P> <P><BR />nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLSALES VPN-POOLSALES<BR />nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLEMP VPN-POOLEMP</P> <P></P> <P><SPAN>VPN-POOLSALES</SPAN></P> <P><SPAN>172.16.128.65-172.16.128.78 mask 255.255.255.240</SPAN></P> <P><SPAN> VPN-POOLEMP</SPAN></P> <P><SPAN>172.16.128.33-172.16.128.46 mask 255.255.255.240</SPAN></P> <P><SPAN>so how does it affect&nbsp;</SPAN></P> <P><SPAN>Thank you&nbsp;</SPAN></P> <P></P> <P></P> Sun, 29 Nov 2015 03:08:41 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834910#M174487 bluesea2010 2015-11-29T03:08:41Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834911#M174488 <P>Hi,</P> <P>As you have 'source static DMZ-Network DMZ-Network' on your nat statment, so ASA is supposed to respond to ARP request coming on it. Therefore it affects your traffic. Also proxy arp is enabled by default 'no sysopt noproxyarp DMZ'.&nbsp; this says 'no' to 'noproxyarp' which means enable proxy arp.</P> <P></P> <P>Hope it answers your queries.</P> <P>Regards,</P> <P>Akshay Rastogi</P> Sun, 29 Nov 2015 03:39:47 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834911#M174488 Akshay Rastogi 2015-11-29T03:39:47Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834912#M174489 <P>Hi Akshay&nbsp;</P> <P>Thank you for your answer.&nbsp;</P> <P>I have one more &nbsp;PAT statement like below&nbsp;</P> <P>nat (DMZ,Outside) after-auto source dynamic DMZ-Network interface .</P> <P>Does it statement also impact the traffic ? .&nbsp;</P> <P></P> <P>What if i disable proxyarp in&nbsp;the &nbsp;DMZ interface , does it solve the problem instead of adding &nbsp;<SPAN>no-proxy-arp route-lookup" &nbsp;each and every nat statement .</SPAN></P> <P><SPAN>Disabling proxy arp cause another issue ?&nbsp;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Thank you&nbsp;</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> <P><SPAN></SPAN></P> Sun, 29 Nov 2015 03:52:13 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834912#M174489 bluesea2010 2015-11-29T03:52:13Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834913#M174490 <P>Hi,</P> <P>ASA does not perform proxy arp for dynamic statement. It should not cause any issue.</P> <P>Regards,</P> <P>Akshay Rastogi</P> <P>Remember to rate helpful posts.</P> <P></P> Sun, 29 Nov 2015 04:42:18 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834913#M174490 Akshay Rastogi 2015-11-29T04:42:18Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834914#M174491 <P>Hi</P> <P>Thank you .&nbsp;</P> <P>Just to conclude ,&nbsp;what about the below&nbsp;command causes the asa respond to arp request?</P> <P>object network webserver<BR /> host 172.16.20.50<BR />object network webserver<BR /> nat (DMZ,Outside) static 2.2.2.2</P> <P>Thank &nbsp;you</P> Sun, 29 Nov 2015 06:04:28 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834914#M174491 bluesea2010 2015-11-29T06:04:28Z https://community.cisco.com/t5/network-security/proxyarp/m-p/2834915#M174492 <P>Hi,</P> <P>This statement is for traffic going to leaving Outside interface or traffic coming from Outside hosts to IP 2.2.2.2</P> <P>ASA would respond to ARP request for destination IP 2.2.2.2 coming on its Outside Interface.</P> <P>Regards,</P> <P>Akshay Rastogi</P> <P>Remember to rate helpful posts.</P> <P></P> Sun, 29 Nov 2015 06:26:35 GMT https://community.cisco.com/t5/network-security/proxyarp/m-p/2834915#M174492 Akshay Rastogi 2015-11-29T06:26:35Z