https://community.cisco.com/t5/network-security/proxyarp-and-remote-access-vpn/m-p/3738759#M9125 <P>Hi David,</P> <P>ASA uses proxy arp to respond to host that uses static nat on the same network or an arp request form IPs it is using for NAT but that are not assigned to any interface.</P> <P>&nbsp;</P> <P>For example, your are connected to ISP with /28 or /27 subnet, from this pool two ip's will be used one for ASA outside interface&nbsp; and the other for CPE. In this case remaining free IP's may be used for static nat to publish your services. When traffic arrives from internet to CPE to one of those free IP's, CPE will send an arp request to ASA because it is connected with the IP from same range. ASA will respond with proxy-arp and send the outside interface mac address, so CPE will forward the traffic to it&nbsp;</P> <P>&nbsp;</P> <P>In your case for remote access vpn proxy-arp is not necessary for the communication, traffic will check route-lookup to reach destination.</P> <P>&nbsp;</P> <P>HTH</P> <P>-Abheesh</P> Sun, 04 Nov 2018 21:45:37 GMT Abheesh Kumar 2018-11-04T21:45:37Z https://community.cisco.com/t5/network-security/proxyarp-and-remote-access-vpn/m-p/3737965#M9121 <P>We have an ASA 5500 which has proxy Arp on by default. I need to remove this from the inside and DMZ interfaces but I'm concerned about the effect this will have on the remote access VPN users as there are a number of static NAT rules set up which allows access&nbsp;to and from&nbsp;the remote VPN connections and&nbsp;the inside networks. They use original source and destination addresses. My understanding is we would loose all of these rules if we disable proxy ARP. I'm a novice where the&nbsp;&nbsp;ASA is concerned so I could do with some help.</P> <P>&nbsp;</P> <P>Example:</P> <P>nat (inside,OUTSIDE) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.200.254.0-mask24 obj-10.200.254.0-mask24<BR />nat (inside,OUTSIDE) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.200.253.0-mask24 obj-10.200.253.0-mask24</P> Fri, 21 Feb 2020 16:25:54 GMT https://community.cisco.com/t5/network-security/proxyarp-and-remote-access-vpn/m-p/3737965#M9121 david.wallace111 2020-02-21T16:25:54Z https://community.cisco.com/t5/network-security/proxyarp-and-remote-access-vpn/m-p/3738046#M9124 Nope. With current config connectivity won't be broken. Nonat will still<BR />take place and it will use route lookup instead of arp.<BR /> Fri, 02 Nov 2018 15:36:37 GMT https://community.cisco.com/t5/network-security/proxyarp-and-remote-access-vpn/m-p/3738046#M9124 Mohammed al Baqari 2018-11-02T15:36:37Z https://community.cisco.com/t5/network-security/proxyarp-and-remote-access-vpn/m-p/3738759#M9125 <P>Hi David,</P> <P>ASA uses proxy arp to respond to host that uses static nat on the same network or an arp request form IPs it is using for NAT but that are not assigned to any interface.</P> <P>&nbsp;</P> <P>For example, your are connected to ISP with /28 or /27 subnet, from this pool two ip's will be used one for ASA outside interface&nbsp; and the other for CPE. In this case remaining free IP's may be used for static nat to publish your services. When traffic arrives from internet to CPE to one of those free IP's, CPE will send an arp request to ASA because it is connected with the IP from same range. ASA will respond with proxy-arp and send the outside interface mac address, so CPE will forward the traffic to it&nbsp;</P> <P>&nbsp;</P> <P>In your case for remote access vpn proxy-arp is not necessary for the communication, traffic will check route-lookup to reach destination.</P> <P>&nbsp;</P> <P>HTH</P> <P>-Abheesh</P> Sun, 04 Nov 2018 21:45:37 GMT https://community.cisco.com/t5/network-security/proxyarp-and-remote-access-vpn/m-p/3738759#M9125 Abheesh Kumar 2018-11-04T21:45:37Z