topic Re: ASA not proxy ARPing remote IP address in Network Security

ASA not proxy ARPing remote IP address

oldcreek12 — Mon, 11 Mar 2019 18:12:50 GMT

Hi, I am setting up a simple site2site VPN between ASA5520 at HQ and ASA5505 in remote office, HQ uses 10.0.0.0/8 network while remote office use 172.30.16.0/20 network, ASA5505's inside IP is 172.30.16.0.254/24, there is a C3560 connect to ASA's inside interface with IP 172.30.16.252/24. IPsec tunnel is fine, however when I ping from 10.1.1.108 from HQ, echo request is sent to C3560 by ASA 5505, but I can not get echo reply back from remote C3560 switch, debug on ASA5505 shows that when C3560 tries to ARP for 10.1.1.108, ASA5505 does not proxy-ARP it. I have default proxy-arp turned on. I can set C3560's default gateway to ASA5505's inside IP address to avoide proxy-arp, but I don't have network connection to C3560, classical chicken-egg problem.

debug arp enabled at level 1
asa5505# arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000
arp-set: added arp inside 172.30.16.252 001e.1477.4f40 and updating NPs at 301045040

arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000
arp-set: added arp inside 172.30.16.252 001e.1477.4f40 and updating NPs at 301048040
b arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000

Re: ASA not proxy ARPing remote IP address

Nagaraja Thanthry — Sat, 17 Jul 2010 18:57:18 GMT

Hello,

What is the default gateway on the 3560? Can you ensure that the 3560 has

the default gateway set to the inside of 5505. Also, if you have turned on

routing on 3560, then you should use "ip route 0.0.0.0 0.0.0.0 " form to set the default gateway.

Hope this helps.

Regards,

Re: ASA not proxy ARPing remote IP address

oldcreek12 — Sat, 17 Jul 2010 19:20:50 GMT

Thanks, but that is not the point, I don't have to set C3560's default-gateway, ASA5505 is supposed to proxy-arp any ARP requestion coming from C3560. (Beside, as I mentioned, I don't have network connectivity to C3560)

Re: ASA not proxy ARPing remote IP address

Nagaraja Thanthry — Sat, 17 Jul 2010 19:30:17 GMT

Hello,

ASA will not Proxy-ARP for every destination unless you have configured NAT

on that interface. If you have configured something like "static

(outside,inside) 10.0.0.0 10.0.0.0 255.0.0.0", then ASA will ARP for it. It

will not Proxy-arp in general as it could lead to catastrophic network

issues.

Hope this helps.

Regards,

Re: ASA not proxy ARPing remote IP address

oldcreek12 — Sat, 17 Jul 2010 20:55:46 GMT

Thanks a lot, static NAT allows me to gain remote access to the swit

ch and I am able to configure default route on the switch.