ASA NAT Proxy ARP (Cable ISP)

m.hoeschen · ‎08-20-2011

Hello,

I have the following problem:

Our new provider (cable) has got an MAC address filter on it's devices.

Furthermore: Every single official IP needs a different MAC to bypass this filter.

In my case:

I've got the official IPs (e.g.)

A = 109.2.1.3 / MAC 00d0.efef.1234 / Subnetmask 255.255.255.0

B = 109.2.1.4 / MAC aaaa.efef.1234 / Subnetmask 255.255.255.0

So both IPs are in the same subnet.

A is bound to my outside ASA interface.

B should be used as NAT IP for my mailserver which is located in my dmz.

Problem:

Everytime I access IP B the ARP reply is send from MAC A (normal ASA proxy ARP behavior) and therefore all packets have the4 source MAC A.

But in my case the cable provider drops this packets since they are sourced with the wrong MAC (remember: MAC A not MAC B).

So I need a way to replay arp requests with MAC B if there are packets for IP B. Is there a way to configure this on an ASA?

I'm running the latest 4.2 release.

Thank you very much for your help.

Markus

varrao · ‎08-20-2011

Hi Markus,

Proxy-arp is a default beahvior of the firewall and in your case it might be an issue, so you need to disbale proxy-arp on the outside interace of the ASA, you can do this by:

sysopt noproxyarp outside

and this should resolve your issue.

Moreover, you can also disable the proxy arp for a particular regular static nat statement in Version 8.4.2, this feature was added only in this version. Have a look at this:

http://www.cisco.com/en/US/customer/docs/security/asa/asa84/release/notes/asarn84.html#wp535067

I'll follow up with more info.

Thanks,

Varun

Do rate helpful posts.

Thanks,
Varun Rao

Mohammad Alhyari · ‎08-21-2011

Hi Markus ,

i don't think disabling Proxy Arp will solve your case , this is how the ASA behaves for any ARP request that it not for the ASA interface ip address, in your case the ISP is having a filter "for each IP address we have ONE MAC address".

they have to re check this , since that proxy-arp is needed by the ASA to Answer all the requests to the published Servers . if you disable Proxy-Arp then you will not get any response for the ARP request to that ip address .

cheers.

haivrajesh · ‎08-21-2011

Enabling DNS doctoring that will solve your issue.

m.hoeschen · ‎08-22-2011

I don't think that DNS doctoring or disabling proxy-arp will solve my problem.

From an other point of view my problem is that I need two different IP addresses (of the same subnet) on the same physical interface AND every IP needs it's own mac address....

I've also tried to use the the static arp configuration options: but the nat process don't uses the information stored here...

So, I need to do NAT to different IPs with different MACs on the same physical interface... I don't think the ASA (or another firewall) could handle this...

cheers.

Maykol Rojas · ‎08-22-2011

Markus,

You are totally right. Disabling proxy ARP wont work. However I dont see anyway that we can configure so that can work. See, when somebody out there is looking for IP B (Which is the one that is not assigned to the interface) The device in front of the ASA needs to fill up the layer 2 header with the mac-address of the next hop, in this case the ASA. So basically, you will have IP A and B with the same mac-address.

So Far, I have not seen a way on the ASA nor a Cisco Router to advertise an IP with a different mac-address and still be able to proceess the packet correctly.

Maybe when they resolve this bug CSCsy85614 there will be a way to do it, but if they have not implemented that on the router, I dont think that would be something on the ASA.

Mike