Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3761
Views
0
Helpful
2
Replies

ASA NAT, proxy ARP, and Identity NAT (ASA 9.8)

jer0nim0x
Level 1
Level 1

‎06-05-2020 10:58 AM - edited ‎06-05-2020 11:10 AM

Hey,

I don't get the following

nat (outside,dmz) source static any any destination static 1.1.1.2 2.2.2.1 unidirectional no-proxy-arp

1) Why does the ASA respond using Proxy ARP for the global address? (The asa's own interface is 1.1.1.1/24)
2) ASDM warns about enabling proxy ARP with this "Identity NAT"... Why is this considered an Identity NAT even though it translates the destination address?

 

There is no other rule of type "nat (outside, ...)" referencing 1.1.1.2 or "any" as its destination.

There also is no rule of type "nat (..., outside)" referencing 1.1.1.2 or "any" as its source, except for an actual identity NAT which is configured with no-proxy-arp also.

 

Oh... and... what does the following from the Configuration Guide mean: "the proxy ARP decision is made only on the “source” address" For an incoming connection from the Internet, what is the importance of the "source" address??

0 Helpful
2 Replies 2

Sheraz.Salim
VIP Alumni
VIP Alumni

‎06-05-2020 03:12 PM

Within 8.4(2) and 8.6(1) the following NAT changes were introduced.This basically states that Proxy ARP is enabled by default on both static and identity based NAT statements.

Reference : http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/intro_intro.html

 

This rule is actually an Identity Nat/Twice Nat and you can also call this a policy Nat.

nat (outside,dmz) source static any any destination static 1.1.1.2 2.2.2.1 unidirectional no-proxy-arp

 

if flow is from inside to outside  THIS IS KNOW AS SOURCE IP TRANSLATION
if flow is from outside to inside  THIS IS KNOW AS DESTINATION IP TRANSLATION
 
Just to give you exmaple the nat order is based on real and mapped etc. nat (inside,outside) source static real mapped destination mapped real
 
nat (outside,dmz) source static any any destination static 1.1.1.2 2.2.2.1 unidirectional no-proxy-arp
                                               Real Mapped                     Mapped Real 
this rule could be used any nat (outside,dmz) source dynamic any any....
remember static nat is by-directional by default whereas dynamic is unidirectional. in your above rule it was a static nat but it being force to act as unidirectional by putting this command. what your nat rules is saying any public ip address coming from outside interface keep its real ip as it is and with condition going to dmz use 1.1.1.2 (as you mentioned this is the ASA outside interface address) if the destination address is 2.2.2.1 (this ip address is ther dmz server network card).  
 
 

 

 

please do not forget to rate.
0 Helpful

jer0nim0x
Level 1
Level 1
In response to Sheraz.Salim

‎06-05-2020 04:24 PM

Hmm so the definition of "identity nat" is any nat where one of the adresses (source and/or destination) is not translated?

But why do you call my example a "twice nat"? Only either source or destination is translated (depending on which direction you are looking at), not both.

And why does it do proxyarp if I explicitely configure no-proxy-arp? The docs state that by default it's enabled unless i disable it, which seems to be the case here.

Thanks.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card