ASA 9.12 dynamic PAT (hide) and arp issues

seahorse · ‎07-04-2024

Why the Cisco ASA might respond to the ARP requests for other IP addresses on the network?

We see sometimes that vm server shows in their arp table ASA MAC, although the arp table from ASA show the correct MAC of VM.

"no proxy arp" could be used to stop that ASA replies an ARP for any other IP addresses then its own.

But for dynamic PAT (hide) I have not found that this is an option.

Any hints how to solve this issue?

Thanks for your ideas.

MHM Cisco World · ‎07-04-2024

I think you need below command

NO Arp permit-nonconnected

MHM

seahorse · ‎07-08-2024

Thank you for your answer.
In CLI command reference is written "we do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attacks against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries." so with enabling the ARP issue on VM could be solved but with increasing security risk??

tvotna · ‎07-08-2024

@seahorse, "arp permit-nonconnected" command is of course irrelevant to the issue you described, so not sure why it was recommended.

PAT doesn't have an option to prevent ASA from sending ARP replies. You can use "show nat proxy-arp" command, "debug arp" or "capture" for ARP to troubleshoot this issue.

MHM Cisco World · ‎07-08-2024

Hi friend'

Sorry for fast reply

You see ASA Mac in your VM

That can

1- normal if ASA if GW for VM

2- not normal if ASA if not GW for VM and VM config without any GW'

This make VM send proxy ARP' proxy ARP reply by ASA if you run

Arp permit-nonconnected so disable this feature with NO can solve this issue.

Thnaks

MHM