Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24468
Views
15
Helpful
4
Replies

Proxy arp in ASA/Firepower appliances

Go to solution
alessandro.s
Level 1
Level 1

‎01-05-2018 06:38 AM - edited ‎02-21-2020 07:04 AM

Hi community,
i read many documents and post about proxy arp feature but still not totally clear for me, especially regarding ASA and Firepower devices (assuming the behaviour is the same for both) so i have some questions:
1. I understood that with proxy arp enabled on an interface ASA will respond, on that interface, to ARP request directed to addresses it knows using it's own mac address. This means that ASA responds even to ARP requests directed to a subnet it knows via a route?
2. proxy arp in ASA interfaces is enabled by default but it seems is not really "active" unless a NAT rule si configured, is this true?
3. I saw that proxy arp can be specifically disabled in NAT rules but i don't understand what exactly this means, it disable proxy arp just for traffic specified in this NAT rule? So, let's say i'm configuring identity NAT to NOT translate the source address A flowing from inside to all addresses in DMZ, what's the difference having proxy arp enabled or disabled?
4. When i configure identity NAT rules, ASA displays me the warning below:

Proxy arp warning.jpg

 

 

i really don't understand why proxy ARP enabled in identity NAT rules can cause problems... can someone explain it to me?

5. I understood that proxy arp is useful in static dmz/inside to outside mapping when the mapped address is into the outside interface address assigned pool and the ISP is arping to ASA, so assuming that there are no similar NAT rules (mapping real addresses from source to addresses included in subnets directly connected ti ASA) for inside and/or dmz interfaces, is a good practice to disable proxy arp in all interfaces but outside?

 

Thank you in advance,
Alessandro

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to alessandro.s

‎01-10-2018 06:04 AM

Hi alessandro,

 

1. I think you are mostly correct one this one, here is how Cisco explains it:
If you use addresses on the same network as the destination (mapped) interface, the ASA uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/nat-reference.html

2. correct
3. if all your nat rules have no-proxy-arp, ASA will not do proxy arp

 

Also another detail that could come in handy:
Starting with ASA version 8.4(3), the ASA will not respond to ARP requests received on an interface, for IP addresses that are not a part of that interface's IP subnet.
https://supportforums.cisco.com/t5/security-documents/asa-8-4-3-arp-response-behavior-change/ta-p/3118644

View solution in original post

4 Replies 4

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎01-05-2018 08:01 AM

1. Proy ARP allows the ASA to respond to arp requests for addresses other than the ones configured on the interface. Unlike the router the proxy arp function is not using the routing table, but on the nat config.
2. Yes it is enabled by default, config can be seen using sh run all sysopt | i proxy
3. ASA will not respond to arps from the IPs configured in the nat statement, without the no-proxy-arp the ASA will repond to arp requests
4. The ASA will start responding to arps it should not and it can cause connectivity issues
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html
5. If the nats you have configured do not require proxy arp and they are configured accordingly with no-proxy-arp, ASA will effectively not do proxy arp.

 

Go to solution
alessandro.s
Level 1
Level 1
In response to Bogdan Nita

‎01-10-2018 12:35 AM

Hi Bogdan,

thanks for your reply, so correct me if i'm wrong:

1. If i configure a static NAT rule for addresses NOT part of ASA's interfaces ip address the firewall will respond to arp requests for those addresses too;

2. It will not proxy-arp if there are no NAT rules configured;

3. If proxy-arp is disabled in NAT rule ASA will not respond to ARP requests that have as source address those included in NAT rule configured, regardless of NAT type;

4. & 5. assuming that what i wrote above is correct,  now are clear.

 

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to alessandro.s

‎01-10-2018 06:04 AM

Hi alessandro,

 

1. I think you are mostly correct one this one, here is how Cisco explains it:
If you use addresses on the same network as the destination (mapped) interface, the ASA uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/nat-reference.html

2. correct
3. if all your nat rules have no-proxy-arp, ASA will not do proxy arp

 

Also another detail that could come in handy:
Starting with ASA version 8.4(3), the ASA will not respond to ARP requests received on an interface, for IP addresses that are not a part of that interface's IP subnet.
https://supportforums.cisco.com/t5/security-documents/asa-8-4-3-arp-response-behavior-change/ta-p/3118644

Go to solution
alessandro.s
Level 1
Level 1
In response to Bogdan Nita

‎01-16-2018 01:26 AM

Hi Bogdan, thank you so much, now it sounds very clear!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card