cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1280
Views
0
Helpful
3
Replies

Will proxy arp cause temp new asa to break network?

iglablues
Level 1
Level 1

Hi. I am in the process of swapping out ASA 5505 for an ASA 5545-X. I have a few questions (sort've general in nature) about the best way to test and deploy. 

The current ASA sits off of an HP ProCurve 5406 which connects to our ISPs uplink. All traffic goes through the ProCurve first, is forwarded on to the ASA via Layer 2 forwarding with vlans, NAT'd and processed against firewall rules, and then sent back to the ProCurve to reach its final destination whether it be internal or external. 

 

My intention was to connect the new ASA to the HP as well, using different IPs for the outside and inside interfaces obviously, but within the same network subnet. I actually reused the old standby ASA's IPs, which is no longer connected to the network in any way. So, whereas the config for my current ASA is:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.10.2 255.255.0.0 standby 10.1.10.3 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.0.0 standby 1.1.1.2

 

The config for my new ASA is:

!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 172.16.2.2 255.255.0.0 
!
interface Redundant1
 member-interface GigabitEthernet0/0
 member-interface GigabitEthernet0/2
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.0.0
!
interface Redundant2
 member-interface GigabitEthernet0/1
 member-interface GigabitEthernet0/3
 nameif inside
 security-level 100
 ip address 10.1.10.3 255.255.0.0 

 

On to my question...

If I attach this new ASA to the HP, will I run into issues with traffic being sent to the new ASA (and subsequently dropped) because of proxy arp? My understanding is that the default behavior of the ASA is to send proxy arp across all interfaces. Therefore if the HP forwards an ARP request out all interfaces on VLAN 1, and the new ASA has an interface with an IP in that subnet attached to an HP interface that is assigned to vlan 1, then will the new ASA potentially respond to that ARP request with its own MAC, thereby causing traffic disruption? Something like this:

 

Additional question: the 5545s don't need vlans the way the 5505 did. Do I need to configure them anyway if I'm connecting them to a switch that uses vlans, even if they're untagged? If HP port A24 is untagged for vlan 20 and attached to E0/1 on the 5545, will the frame pass through? Will the 5545's routing table (which will be static routes) allow it to send the frame back out the appropriate interface? 

 

Thanks in advance, and sorry for the long post. 

1 Accepted Solution

Accepted Solutions

Hi iglablues,

The ASA proxy ARP will only take place if NAT rules are configured. It will proxy for rules with that don't have the "no-proxy-arp". In this case, if the 5545 is added with an empty config, it won't affect at all.

 

If your ASA 5505 config has translations that the other ASA uses and the 5545 has the same config(i.e. a static rule for 1.1.1.15 used for a web server) without the no-proxy-arp keyword, then, those ASAs will be fighting for those rules. So in short terms, the proxy ARP will take place only depending on the rules in your config. In any case, proxy arp can be disabled to avoid any problem while you have both of them there with the following commands:

sysopt noproxyarp outside
sysopt noproxyarp inside

 

Referring to your questions about the VLANs use, the 5545 won't need VLAN configuration if the switch is sending untagged frames. The only important thing to ensure is that the switch has the necessary VLAN applied to the interface connected to the ASA. The ASA will take those frames without any problem just as it was an end host. 

Only if you are using the same cable and you want to trunk the VLANs from the switch to ASA subinterfaces, then you would need to refer the VLAN used to each interface. However, this is not your case.

Hope I have answered your queries!

 

- Cesar

View solution in original post

3 Replies 3

Hi iglablues,

The ASA proxy ARP will only take place if NAT rules are configured. It will proxy for rules with that don't have the "no-proxy-arp". In this case, if the 5545 is added with an empty config, it won't affect at all.

 

If your ASA 5505 config has translations that the other ASA uses and the 5545 has the same config(i.e. a static rule for 1.1.1.15 used for a web server) without the no-proxy-arp keyword, then, those ASAs will be fighting for those rules. So in short terms, the proxy ARP will take place only depending on the rules in your config. In any case, proxy arp can be disabled to avoid any problem while you have both of them there with the following commands:

sysopt noproxyarp outside
sysopt noproxyarp inside

 

Referring to your questions about the VLANs use, the 5545 won't need VLAN configuration if the switch is sending untagged frames. The only important thing to ensure is that the switch has the necessary VLAN applied to the interface connected to the ASA. The ASA will take those frames without any problem just as it was an end host. 

Only if you are using the same cable and you want to trunk the VLANs from the switch to ASA subinterfaces, then you would need to refer the VLAN used to each interface. However, this is not your case.

Hope I have answered your queries!

 

- Cesar

iglablues
Level 1
Level 1

Thank you! You very much did! What you said jives with what I was reading here: http://www.packetu.com/2011/11/07/the-asas-arp-behavior/. In a nutshell, that even if you have proxy arp enabled, if you don't have a NAT statement of some kind corresponding to the address range on the interfaces in question the ASA won't ARP for it. In my case it's just safest to disable proxy arp until I actually swap out. 

 

Thanks again. 

Always glad to help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: