cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1591
Views
0
Helpful
5
Replies

ASA 5505 no proxyarp + ssl vpn

BARRY GROSS
Level 1
Level 1

I have an ASA 5505 (running 8.0.4 code) that has to have proxyarp turned off on the inside interface due to the issue described in MS KB 888816.

I am able to establish my vpn connection but I cant talk to any of my servers. When i turn proxyarp back on I can communicate just fine, but as soon as i no proxyarp inside, once the arp times out I am again not able to communicate through the vpn. The vpn clients and the hosts on the inside that I am trying to talk to are all on the same subnet with no NAT between them.

I have also tried doing static arp entries on the 5505, to no avail. Anyone have a workaround to this?

Thanks

Barry

5 Replies 5

guibarati
Level 4
Level 4

The problem is that they are in the same subnet, the internal and VPN hosts, so, the only way the packets will arrive the ASA to be forwarded to the VPN client is with proxy arp.

If you want to disable that you need to have another subnet for VPN clients. So you need the default gateway of your network, to point ASA for the new subnet.

I don't know if its an option to create a third interface on a 5505

You don't need a new interface, you need only the VPN IP Pool to be in a different sobnet, that is not the same as your internal network or any other network that is already in use.

The ASA will be in charge to route that to the VPN users as long as the packet arrive to it.

Yes..your right. I got it. I did your suggestions, but forgot to modify the spilt tunnel/NAT config. Once I did that it is working.

Thanks Much

Rate pls.

Review Cisco Networking for a $25 gift card