Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4641
Views
15
Helpful
5
Replies

ASA Mac address problem

Go to solution
harinirina
Level 1
Level 1

‎02-01-2011 08:04 AM - edited ‎03-11-2019 12:42 PM

Hi,

We have ASA setup between the core switch and the border internet router.

When we do "show arp" aon the core, there are many IP address (some used, some don't exist) corresponding to the MAC address of the ASA inside interface.

how could we do to identify the source of the problem and how can we fix it ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-01-2011 09:31 AM

If you are seeing MAC Address of the ASA inside interface for multiple addresses, that means that the ASA is performing proxy arp on the inside interface.

Normally proxy arp is enabled on the outside interface because you might be NATing private server address to different public ip addresses which is virtual on the ASA, therefore, proxy arp needs to be enabled on the outside interface.

However, are you NATing anything to the inside subnet, if you are not NATing anything to the inside subnet, you can disable proxy arp on the ASA inside interface so the ASA is not ARPing on behalf of host itself.

To check if ASA is ARPing for the inside interface:

show run all | inc sysopt

If you are seeing "no sysopt noproxyarp inside", that means proxy arp is enabled on the inside interface. To disable it: "sysopt noproxyarp inside". Then perform "clear arp" on the ASA.

Hope that answers your question.

View solution in original post

5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎02-01-2011 09:31 AM

If you are seeing MAC Address of the ASA inside interface for multiple addresses, that means that the ASA is performing proxy arp on the inside interface.

Normally proxy arp is enabled on the outside interface because you might be NATing private server address to different public ip addresses which is virtual on the ASA, therefore, proxy arp needs to be enabled on the outside interface.

However, are you NATing anything to the inside subnet, if you are not NATing anything to the inside subnet, you can disable proxy arp on the ASA inside interface so the ASA is not ARPing on behalf of host itself.

To check if ASA is ARPing for the inside interface:

show run all | inc sysopt

If you are seeing "no sysopt noproxyarp inside", that means proxy arp is enabled on the inside interface. To disable it: "sysopt noproxyarp inside". Then perform "clear arp" on the ASA.

Hope that answers your question.

Go to solution
harinirina
Level 1
Level 1
In response to Jennifer Halim

‎02-01-2011 11:08 PM

Hello,

We have private IP address on the inside which are accessed by public IP address from the outside. So, in this case, do we need proxy arp on the inside interface or not?

we checked with "show run all | inc sysopt", here is the output

no sysopt connection timewait
sysopt connection  tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection  permit-vpn
sysopt connection reclassify-vpn
no sysopt connection  preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp  inside
no sysopt noproxyarp outside
no sysopt noproxyarp dmz

We disabled proxy arp on inside interface with "sysopt noproxyarp inside" and did clear both on the asa and the switch. We have MAC address of the ASA inside interface for multiple IP addresses.

The ASA runs IOS ver 8.3, it's the first time we use this version.

Could you give more advice?

0 Helpful

Go to solution
harinirina
Level 1
Level 1
In response to Jennifer Halim

‎02-02-2011 12:48 AM

Sorry for my last post.

There was a mistake.

it's working fine after desabling proxy arp on interface inside with "sysopt noproxyarp inside".

Thanks Jennifer, your answer is always extremely helpful.

Thanks a lot.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to harinirina

‎02-02-2011 02:58 AM

Great to hear, and thanks for the rating.

0 Helpful

Go to solution
chill
Level 1
Level 1
In response to Jennifer Halim

‎04-26-2011 05:21 PM

I don't understand your statement: "... if you are not NATing anything to the inside subnet, you can disable  proxy arp on the ASA inside interface so the ASA is not ARPing on behalf  of host itself."

What do you mean "so that the ASA is not ARPing for the host itself"?  What host are you referring to?  The ASA itself?  f there are no static NATs defined on the inside interface, then the ASA will not perform proxy ARP from the inside interface to the inside network, unless there is a explicitly defined static ARP entry in the configuation file.

I'm still trying to understand why someone would want to disable proxy ARP on an interface.  My understanding is that the ASA will only perform a proxy ARP on an interface under 2 conditions: (1) There is a static NAT assigned on that interface and it will proxy ARP on behald of the static NAT global address, or (2) There is a static ARP entry for an address on the interface.  The only reason I could see for disabling proxy ARP would be to hide a static NAT such that only adjacent routers with an explicit static route  would know to direct packets destined for xxx.yyy.zzz.214 (static NAT Addr)  to xxx.yyy.zzz.217 (ASA interface address hosting the static NAT).  I must be overlooking something.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card