ASA 8.4(2)8 doing Proxy ARP for hosts on Inside Segment.

RAMEEZ RAHIM · ‎01-21-2014

I see a problem in my Inside Segment of Firewall, where the Primary Firewall is doing Proxy ARP for all directly connected hosts on the Inside Segment.

This even causes connectivity issue to the Secondary Firewall IP from the Inside Segment.

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.26.29.139 255.255.255.248 standby 172.26.29.140

!

Proxy ARP is not yet disabled for Inside Interface.

I have a Identity NAT statement for my Inside Segment, but no Proxy ARP is set.

!

object network obj-172.26.29.136

subnet 172.26.29.136 255.255.255.248

!

nat (inside,any) source static obj-172.26.29.136 obj-172.26.29.136 no-proxy-arp

!

Is this a known Bug with 8.4.2 code of ASA....?

Jouni Forss · ‎01-21-2014

Hi,

To my understanding there has been problems with Proxy ARP mostly related to NAT configurations. But I can't shake the feeling that sometimes simply having this Proxy ARP feature enabled on the Cisco firewall has caused the firewall to answer to ARP requests even though it has had no NAT configurations for which ARP request to answer. I can't be 100% sure as I have not had many of those situation and have not had the change to debug those situation when they have presented themselves.

Do you have any need to have the Proxy ARP enabled on the interface? Most of the time I always disable it on the LAN/DMZ interfaces of the ASA right from the start as there is usually no NAT done to the IP address of any of the ASAs connected networks. In other cases local routing should handle the forwarding of traffic to the ASA and no ARP should be needed for possible NAT IP addresses.

Do you perhaps have some wide Dynamic PAT rule in place as you have configured this Static Identity NAT? I am just asking as if you have specified the sources of your dynamic translations specifically then you would have no need for ANY Identity NAT configurations on the ASA. I was glad to get rid of this compared to the older software versions.

I am for example just creating a migration configuration for one of our customers. In total I will be removing around 850 Static Identity NAT configurations from their firewall upon the migration.

- Jouni

RAMEEZ RAHIM · ‎01-21-2014

Yes i have a PAT for source any. But, this shouldn't do any Proxying right..?

object network obj_any

nat (inside,outside) dynamic interface

Jouni Forss · ‎01-21-2014

Hi,

No it shouldnt.

The only ARP related operation to that NAT configuration is that the ASA will answer any ARP request related to the IP address configured on the interface. And there is nothing really unordinary in that as the device naturally answers ARP requests related to its interface IP addresses and their MAC address.

I was just thinking that since clearly the small subnet that has the Static Identity NAT configuration is not supposed to be translated at all and if you had a Dynamic PAT configuration that specified the required source network then the Static Identity NAT would not be needed at all (if there is a doubt that it might be causing this)

I personally configure Dynamic PAT in this way for LAN/DMZ networks

object-group network PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 192.168.10.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

I can't really say if you are running into some bug. Even though I have been using the same software (not the same Interim release though) on multiple platforms but I have not used Identity NAT configurations since 8.2 software anymore.

Its my understanding that the ASA should only use Proxy ARP if you have configured NAT which used one of your ASAs connected networks IP address(es) as the mapped address.

Now that I look at it, it seems that I might have sligtly missunderstood the issue. I thought this was a problem with hosts but you talk about the Failover pair (and since the network is only /29 there is not much possibility of a host network). We do have Failover pairs running 8.4(2) and we have not run into any such problems.

Both ASA should answer to the ARP requests normally as they have the IP address configured on their interfaces (depending which device is active).

Are you saying that the connected router can see the Active ASA answering with Proxy ARP requests related to the Stanby units IP address?

- Jouni

RAMEEZ RAHIM · ‎01-21-2014

Hi

For your question..

Are you saying that the connected router can see the Active ASA answering with Proxy ARP requests related to the Stanby units IP address?

Yes..

Jouni Forss · ‎01-21-2014

Hi,

I would have to guess that this is related to some NAT configurations. Perhaps the one you have mentioned unless you have some other configurations that might cause this. I can't really say.

One question would be what is the purpose of doing this Static Identity NAT for your firewalls link network in the first place? And why is it specfied to destination interface "any"? A possibly more safe solution would be to have the interface specified and if you need to apply it to multiple interface then simply make separate configurations for those.

But the first thing to determine would be if you even need this.

And as I said before, if you had a specific Dynamic PAT configuration you would not need this Static Identity NAT configuration at all.

I guess the next step would be to go through the NAT configuration and determine if you need the Proxy ARP enabled globally on the interface at all.

- Jouni