Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21909
Views
20
Helpful
5
Replies

Disbling Proxy Arp

Go to solution
Dustin Flint
Level 1
Level 1

‎08-17-2017 04:11 AM - edited ‎03-12-2019 02:50 AM

I have an ASA interface in which Proxy Arp is still enabled for some reason. If I turn this off for this interface, will there be any type of down time for resources or blips when this is done?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Dustin Flint

‎08-17-2017 07:38 AM

Hi,

In that case, you can turn off this feature.

Just to emphasize the role of Proxy-ARP on ASA:

When you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Reference:

https://supportforums.cisco.com/discussion/10942001/cisco-asa-arp-poison

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

5 Replies 5

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-17-2017 04:18 AM

Hi Dustin,

Any reason to turn off this feature.

Proxy ARP is used when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The adaptive security appliance uses proxy ARP when you configure NAT and specify a mapped address that is on the same network as the adaptive security appliance interface. The only way traffic can reach the hosts is if the adaptive security appliance uses proxy ARP to claim that the adaptive security appliance MAC address is assigned to destination mapped addresses.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/route_overview.html#wp1106863

Regards,

Aditya

Please rate helpful and mark correct answers

Go to solution
Dustin Flint
Level 1
Level 1
In response to Aditya Ganjoo

‎08-17-2017 04:43 AM

Yes, proxy arp has caused problems for us in the past. It mainly causes problems when trying to reach devices.

For example, I have an ME3800 switch I cant reach via ssh. I could 2 weeks go, up until I put another switch in, then I could no longer reach the 3800. They have different ip addresses, but when you do an arp lookup, they both show as having the same arp address. This has caused us huge problems in the past, especially in our virtual environment.

Also, most engineers I have talked to said if proxy arp is on by default when ever they are deploying new equipmnet, the first thing they do is turn it off.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Dustin Flint

‎08-17-2017 07:01 AM

Hi,

If that's the issue you can turn off the proxy-arp on that interface.

Also, the switch you were not able to reach through SSH, does it have any NAT on the ASA?

If yes, you can disable proxy-arp on the particular NAT statement.

Regards,

Aditya

Please rate helpful and mark correct answers

Go to solution
Dustin Flint
Level 1
Level 1
In response to Aditya Ganjoo

‎08-17-2017 07:04 AM

I dont need NAT on the interface for switch I am going too. I am trying to reach via the local subnet, so the traffic shouldnt pass through firewall. Thats where the problem of the firewall interface showing as the arp address for that device comes into play.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Dustin Flint

‎08-17-2017 07:38 AM

Hi,

In that case, you can turn off this feature.

Just to emphasize the role of Proxy-ARP on ASA:

When you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.

Reference:

https://supportforums.cisco.com/discussion/10942001/cisco-asa-arp-poison

Regards,

Aditya

Please rate helpful and mark correct answers

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card