Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1112
Views
0
Helpful
1
Replies

ASA 8.4(2) nat static and arp

Martin Kyrc
Level 3
Level 3

‎09-14-2011 02:00 PM - edited ‎03-11-2019 02:24 PM

Hello,

can anybody explain me this issue?

I have ASA firewall, load-balancer ACE 4710 and some real servers connected to same vlan (dmz). Sometimes ACE lost connectivity to real server. Reason is wrong ARP record on ACE - when ACE broadcasts arp request (for rserver), ASA respond with it's own MAC (why???). reason of this is that ACE can't contact server.

log from ACE:

Sep 14 2011 14:21:42 WWW: %ACE-4-405001: Received ARP REQUEST collision from x.1.0.117 00.02.55.4f.c7.5d on interface vlanDMZ

Sep 14 2011 14:24:34 WWW: %ACE-4-405001: Received ARP RESPONSE collision from x.1.0.117 30.e4.db.19.57.f1 on interface vlanDMZ

00.02.55.4f.c7.5d is real MAC of x.1.0.117

30.e4.db.19.57.f1 is MAC of ASA (x.1.0.65)

In 'debug arp' output I can see, that ASA respond to ARP request from ACE of IP address of real server (it's not correct). therefore ACE learn wrong MAC for IP address of real server.

I have configured static NAT for this vlan:

object network obj-DMZ

nat (dmz,any) static obj-DMZ

Can anybody explain me this issue?

--

martin

Labels:
0 Helpful
1 Reply 1

pablo.nxh
Level 3
Level 3

‎09-14-2011 04:53 PM

Hi Martin,

Sounds like your issue has to do with the proxy arp feature that is enabled once you put NAT in place.

Try adding this command:

FW(config)#  sysopt noproxyarp dmz

HTH

__ __

Pablo

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card