topic Re: ASA ISP Arp problem in Network Security

ASA ISP Arp problem

jheckart — Mon, 11 Mar 2019 12:32:00 GMT

Hi,

I just replaced a PIX 515 with an ASA 5510 failover.

The PIX had about 10 static nat translations, and pat on the interface as follows:

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.x.x 192.168.100.3 netmask 255.255.255.255

static (inside,outside) x.x.x.x 172.16.128.28 netmask 255.255.255.255

static (inside,outside) x.x.x.x 172.16.128.25 netmask 255.255.255.255

static (inside,outside) x.x.x.x 192.168.95.4 netmask 255.255.255.255

static (inside,outside) x.x.x.x 192.168.50.242 netmask 255.255.255.255

When the pix was replaced with the ASA, the pat off of the interface worked great. I then went to test other sytems, and found that nat was not working.

Upon further review, the traffic wasn't even making it to the ASA for translation. As it turns out, the ISP said that the managed router had incomplete arp entries for all public addresses but our ASA outside interface.

As a temporary solution, I would enter change the IP address on the interface to each of the nat'd addresses, and then back to what it should be. This routine fixed the problem, but then the ISP cleared the ARP table on the router and the problem is back.

What could possibly be going on here?

Thanks,

Jeff

Re: ASA ISP Arp problem

jheckart — Wed, 16 Apr 2008 12:48:25 GMT

So,

Turns out that proxy-arp was disabled. (sysopt noproxyarp outside)

I enabled proxyarp, and the asa responded to arp for the static addresses.

I searched netpro and google for this, and can't believe that I couldn't find it. I guess it makes sense based on how the asa would have to respond for anything it was asked of. Has anyone run into this before?

Re: ASA ISP Arp problem

sundar.palaniappan — Wed, 16 Apr 2008 14:33:32 GMT

Jeff,

Proxyarp is enabled by default on the outside in 7.x code. Look at the capture below where only when I configure noproxyarp it shows up in the configuration and that would mean it's a user configured value. In your case it looks like someone may have disabled the proxyarp on the outside.

I don't see how the PIX/ASA would respond, without proxyarp enabled, on behalf of host that's configured for static translation if the global address happens to be on the same subnet as the outside of the firewall.

pixfirewall# show run sysopt (factory setting)

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

pixfirewall# config t

pixfirewall(config)# no sysopt noproxyarp outside

pixfirewall(config)# show run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

pixfirewall(config)# sysopt noproxyarp outside

pixfirewall(config)# show run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt noproxyarp outside

sysopt connection permit-vpn

HTH

Sundar

Re: ASA ISP Arp problem

jheckart — Wed, 16 Apr 2008 16:51:22 GMT

Sundar,

Yes, thanks. That's the conclusion that I came to as well.

Re: ASA ISP Arp problem

JOSH GANT — Tue, 17 Jun 2008 12:43:52 GMT

Proxy-arp is normally for arp response on behalf of another device that is on a different segment. For static NATs in the ASA I would think it would reply to these ARPs because they are on the same external subnet and the static NATs are present. Proxy-arp is normally for cross segment arp proxying and I want that disabled. ???