Re: arp permit-nonconnected Not Working

paperangel220 · ‎02-20-2024

I have a ASA 5506-X version 9.8(2). The ASA has two interfaces: g1/1 (outside, ip: 209.165.0.2/30), and g1/3 (inside, ip: 209.165.0.5/30).

g1/1 is connected to a 881-W router (Router-A), whose ip is 209.165.0.1/30. Router-A's internal interface is 192.168.0.1/24.

g1/3 is connected to a 2821 router (Router-B), whose ip is 209.165.0.6/30. Router-B's internal interface is 10.0.0.1/24.

This is what the topology looks like: (Note that I have an actual physical lab, I just diagrammed it in Packet Tracer so that it's easier to visualize. Also the model numbers on the Packet Tracer diagram do not correspond with the actual physical models)

Below are my additional configurations:

881-W's routes:

ip route 209.165.0.4 255.255.255.252 vlan 2 <------------ (I would like to test if a directly connected route can result in a successful ping. If I change this to a next hop route (ip route 209.165.0.4 255.255.255.252 209.165.0.2), ping is successful. But as of now, ping is unsuccessful if I use the directly connected route.)

ip route 10.0.0.0 255.255.255.0 209.165.0.2

2821's routes:

ip route 192.168.0.0 255.255.255.0 209.165.0.5

ip route 209.165.0.0 255.255.255.252 209.165.0.5

ASA's routes and ACL:

route outside 192.168.0.0 255.255.255.0 209.165.0.1

route inside 10.0.0.0 255.255.255.0 209.165.0.6

access-list PERMIT extended permit ip any any

access-group PERMIT in interface outside

access-group PERMIT in interface inside

access-group PERMIT out interface outside

access-group PERMIT out interface inside

I added arp permit-nonconnected on the ASA, but pinging from 192.168.0.1 to 10.0.0.1 does not work. Why?

debug arp on ASA outputs:

arp-in: request at outside from 209.165.0.1 588d.09a4.f3cc for 10.0.0.1 0000.0000.0000 having smac 588d.09a4.f3cc dmac ffff.ffff.ffff
arp-set: added arp outside 209.165.0.1 588d.09a4.f3cc and updating NPs at 19:52:01.599

Shouldn't it work even if the source (209.165.0.1) and destination address (10.0.0.1) of the ARP packet are in different subnets, since I configured arp permit-nonconnected?

Thanks for the help!

MHM Cisco World · ‎02-20-2024

To ping

1-You need two static route in ASA

2-You need one static route in each router

MHM

paperangel220 · ‎02-20-2024

I already had these routes configured:

881-W's routes:

ip route 209.165.0.4 255.255.255.252 vlan 2

ip route 10.0.0.0 255.255.255.0 209.165.0.2

2821's routes:

ip route 192.168.0.0 255.255.255.0 209.165.0.5

ip route 209.165.0.0 255.255.255.252 209.165.0.5

ASA's routes and ACL:

route outside 192.168.0.0 255.255.255.0 209.165.0.1

route inside 10.0.0.0 255.255.255.0 209.165.0.6

But pinging doesn't work. Are these the necessary routes or am I mistaken? Thanks!

MHM Cisco World · ‎02-20-2024

From any pc traceroute to other one

Share the reuslt here

MHM

paperangel220 · ‎02-20-2024

MHM Cisco World · ‎02-20-2024

The traffic stop in router

Use in both router static route but use egress interface not next-hop

MHM

paperangel220 · ‎02-20-2024

I changed the routes to use egress interface. Ping is still unsuccessful:

881-W router:
ip route 10.0.0.0 255.255.255.0 Vlan2
ip route 209.165.0.4 255.255.255.252 Vlan2

2821 router:
ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/0
ip route 209.165.0.0 255.255.255.252 GigabitEthernet0/0