05-06-2013 03:29 PM - edited 03-11-2019 06:39 PM
I'm firewalling several DMZ like networks on a PIX running 8.0 and I've just tried to move to an ASA 5510 running 8.2. The config moved over verbatim, but after bringing up the network on the ASA I started to see odd DHCP issues on one of the DMZ networks for my test machine, with it continually declining and requesting a new IP and the MS DHCP indicating the client reported it as a BAD_ADDRESS. I found that even staticically configured IPs on the same net were reporting a dupilcate IP. Looking at a wireshark capture I can see the ASA was replying with its own address on ARP requests for the test host and this was causing the problem.
Is this a result of leaving proxy arp enabled for the DMZ interface on the ASA or could my config be at fault? I'm trying to NAT exempt traffic between the inside nets and the DMZ nets using static statements and there is overlap since they all use 10 net. Here's the relavant config:
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.50 255.255.255.128
!
interface Ethernet2
nameif dmz
security-level 50
no ip address
!
interface Ethernet2.805
vlan 805
nameif dmz805
security-level 50
ip address 10.8.5.2 255.255.255.0
!
interface Ethernet2.806
vlan 806
nameif dmz806
security-level 50
ip address 10.8.6.3 255.255.255.0
!
.
.
global (outside) 1 173.11.xx.yy
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz805) 1 10.8.5.0 255.255.255.0
nat (dmz806) 2 10.8.6.0 255.255.255.0
static (inside,dmz806) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,dmz805) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
05-06-2013 03:36 PM
Hi,
You could always try disabling the Proxy ARP
And if you dont need NAT between local interface then you could try NAT0 configuration
How many 10-networks are in use? Are there several more interfaces on the ASA?
I generally always disable Proxy ARP on interfaces that are directly connected to the local LAN/DMZ network and its hosts.
- Jouni
05-06-2013 03:52 PM
Yes, I use nat 0 on my other asa with nonat access list, but not here. Does that cause the ASA to turn off proxy arp without having to resort to sysopt disable?
There are quite a few 10/24 nets behind the inside interface and each of the dmz's are also 10/24 nets. There are other DMZ interfaces of the same type and similar net address not shown in my excerpt.
Maybe you're right in that I don't really need the proxy arp for these dmz nets, but if I turn it off, will that affect the ASA doing pat for the dmz hosts out to the internet?
05-06-2013 03:58 PM
Hi,
Disabling the Proxy ARP on a local interface (LAN/DMZ etc) doesnt have any effect on the WAN interface of the ASA.
The only situation where disabling Proxy ARP might have effect on the device operation is if you are doing NAT between interfaces and the actual NAT IP address is part of some directly connected ASA interface network.
Here is the link to the Command Reference for 8.2 and the "sysopt noproxyarp
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975
- Jouni
05-06-2013 04:00 PM
Hi,
I am not sure why the PIX and ASA are acting differently with the same configurations.
- Jouni
05-06-2013 03:57 PM
Oh, and another question would be, why doesn't this occur on the PIX using the same config? I checked sysopt there and did not find noproxyarp set.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide