ASA and proxy arp

Bruce Reed · ‎05-06-2013

I'm firewalling several DMZ like networks on a PIX running 8.0 and I've just tried to move to an ASA 5510 running 8.2. The config moved over verbatim, but after bringing up the network on the ASA I started to see odd DHCP issues on one of the DMZ networks for my test machine, with it continually declining and requesting a new IP and the MS DHCP indicating the client reported it as a BAD_ADDRESS. I found that even staticically configured IPs on the same net were reporting a dupilcate IP. Looking at a wireshark capture I can see the ASA was replying with its own address on ARP requests for the test host and this was causing the problem.

Is this a result of leaving proxy arp enabled for the DMZ interface on the ASA or could my config be at fault? I'm trying to NAT exempt traffic between the inside nets and the DMZ nets using static statements and there is overlap since they all use 10 net. Here's the relavant config:

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.50 255.255.255.128

!

interface Ethernet2

nameif dmz

security-level 50

no ip address

!

interface Ethernet2.805

vlan 805

nameif dmz805

security-level 50

ip address 10.8.5.2 255.255.255.0

!

interface Ethernet2.806

vlan 806

nameif dmz806

security-level 50

ip address 10.8.6.3 255.255.255.0

!

.

global (outside) 1 173.11.xx.yy

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz805) 1 10.8.5.0 255.255.255.0

nat (dmz806) 2 10.8.6.0 255.255.255.0

static (inside,dmz806) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside,dmz805) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

Jouni Forss · ‎05-06-2013

Hi,

You could always try disabling the Proxy ARP

And if you dont need NAT between local interface then you could try NAT0 configuration

How many 10-networks are in use? Are there several more interfaces on the ASA?

I generally always disable Proxy ARP on interfaces that are directly connected to the local LAN/DMZ network and its hosts.

- Jouni

Bruce Reed · ‎05-06-2013

Yes, I use nat 0 on my other asa with nonat access list, but not here. Does that cause the ASA to turn off proxy arp without having to resort to sysopt disable?

There are quite a few 10/24 nets behind the inside interface and each of the dmz's are also 10/24 nets. There are other DMZ interfaces of the same type and similar net address not shown in my excerpt.

Maybe you're right in that I don't really need the proxy arp for these dmz nets, but if I turn it off, will that affect the ASA doing pat for the dmz hosts out to the internet?

Jouni Forss · ‎05-06-2013

Hi,

Disabling the Proxy ARP on a local interface (LAN/DMZ etc) doesnt have any effect on the WAN interface of the ASA.

The only situation where disabling Proxy ARP might have effect on the device operation is if you are doing NAT between interfaces and the actual NAT IP address is part of some directly connected ASA interface network.

Here is the link to the Command Reference for 8.2 and the "sysopt noproxyarp "

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975

- Jouni

Jouni Forss · ‎05-06-2013

Hi,

I am not sure why the PIX and ASA are acting differently with the same configurations.

- Jouni

Bruce Reed · ‎05-06-2013

Oh, and another question would be, why doesn't this occur on the PIX using the same config? I checked sysopt there and did not find noproxyarp set.