topic Re: ASA Mac address problem in Network Security

ASA Mac address problem

harinirina — Mon, 11 Mar 2019 19:42:53 GMT

Hi,

We have ASA setup between the core switch and the border internet router.

When we do "show arp" aon the core, there are many IP address (some used, some don't exist) corresponding to the MAC address of the ASA inside interface.

how could we do to identify the source of the problem and how can we fix it ?

Re: ASA Mac address problem

Jennifer Halim — Tue, 01 Feb 2011 17:31:10 GMT

If you are seeing MAC Address of the ASA inside interface for multiple addresses, that means that the ASA is performing proxy arp on the inside interface.

Normally proxy arp is enabled on the outside interface because you might be NATing private server address to different public ip addresses which is virtual on the ASA, therefore, proxy arp needs to be enabled on the outside interface.

However, are you NATing anything to the inside subnet, if you are not NATing anything to the inside subnet, you can disable proxy arp on the ASA inside interface so the ASA is not ARPing on behalf of host itself.

To check if ASA is ARPing for the inside interface:

show run all | inc sysopt

If you are seeing "no sysopt noproxyarp inside", that means proxy arp is enabled on the inside interface. To disable it: "sysopt noproxyarp inside". Then perform "clear arp" on the ASA.

Hope that answers your question.

Re: ASA Mac address problem

harinirina — Wed, 02 Feb 2011 07:08:11 GMT

Hello,

We have private IP address on the inside which are accessed by public IP address from the outside. So, in this case, do we need proxy arp on the inside interface or not?

we checked with "show run all | inc sysopt", here is the output

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
no sysopt noproxyarp dmz

We disabled proxy arp on inside interface with "sysopt noproxyarp inside" and did clear both on the asa and the switch. We have MAC address of the ASA inside interface for multiple IP addresses.

The ASA runs IOS ver 8.3, it's the first time we use this version.

Could you give more advice?

Re: ASA Mac address problem

harinirina — Wed, 02 Feb 2011 08:48:16 GMT

Sorry for my last post.

There was a mistake.

it's working fine after desabling proxy arp on interface inside with "sysopt noproxyarp inside".

Thanks Jennifer, your answer is always extremely helpful.

Thanks a lot.

Re: ASA Mac address problem

Jennifer Halim — Wed, 02 Feb 2011 10:58:06 GMT

Great to hear, and thanks for the rating.

Re: ASA Mac address problem

chill — Wed, 27 Apr 2011 00:21:05 GMT

I don't understand your statement: "... if you are not NATing anything to the inside subnet, you can disable proxy arp on the ASA inside interface so the ASA is not ARPing on behalf of host itself."

What do you mean "so that the ASA is not ARPing for the host itself"? What host are you referring to? The ASA itself? f there are no static NATs defined on the inside interface, then the ASA will not perform proxy ARP from the inside interface to the inside network, unless there is a explicitly defined static ARP entry in the configuation file.

I'm still trying to understand why someone would want to disable proxy ARP on an interface. My understanding is that the ASA will only perform a proxy ARP on an interface under 2 conditions: (1) There is a static NAT assigned on that interface and it will proxy ARP on behald of the static NAT global address, or (2) There is a static ARP entry for an address on the interface. The only reason I could see for disabling proxy ARP would be to hide a static NAT such that only adjacent routers with an explicit static route would know to direct packets destined for xxx.yyy.zzz.214 (static NAT Addr) to xxx.yyy.zzz.217 (ASA interface address hosting the static NAT). I must be overlooking something.