Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2333
Views
0
Helpful
23
Replies

ASA Proxy arp another IP subnet

codflanglers
Level 1
Level 1

‎02-19-2015 02:15 AM - edited ‎03-11-2019 10:31 PM

Morning

I've another subnet from my ISP and I need to get my ASA to respond to these new IPs.

Basically, I'm relying on the ASA doing proxy arp.

I've added in a few static NAT as below (assuming 10.16.11.184/29 is the new range I've been given and 192.168.20.0/24 is my DMZ).

static (DMZ,outside) 10.16.11.186 192.168.20.247 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.187 192.168.20.248 netmask 255.255.255.255
static (DMZ,outside) 10.16.11.188 192.168.20.249 netmask 255.255.255.255

I've not done much on the ASA devices. Is that all I have to do?

Presumably I would need to include the new IP subnet in any ACLs, etc?

 

 

Labels:
0 Helpful
23 Replies 23

Jon Marshall
Hall of Fame
Hall of Fame
In response to codflanglers

‎02-19-2015 07:06 AM

If you are using a router as the DMZ host can you do a "debug ip packet" on that and then try to ping from the outside router and see if you see -

1) hits on the ASA acl

2) any packets arriving at the host (router)

Jon

0 Helpful

codflanglers
Level 1
Level 1
In response to Jon Marshall

‎02-19-2015 07:14 AM

No packets on router but looks like the ASA is doing what it should

SITE-A-ASA# ICMP echo request from outside:10.9.100.254 to DMZ:10.16.11.187 ID=19 seq=0 len=72
ICMP echo request untranslating outside:10.16.11.187 to DMZ:192.168.20.248
 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to codflanglers

‎02-19-2015 07:16 AM

Can you post the configuration of the host router ?

How is the router connected to the ASA ie. is it via a switch or direct.

If it is via a switch check your vlans.

Jon

0 Helpful

codflanglers
Level 1
Level 1
In response to Jon Marshall

‎02-19-2015 07:20 AM

Host router literally has an IP on the interface and a static default route pointing to 192.168.20.254. It is directly connected.

No switches and no other config like ACLs or anything.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to codflanglers

‎02-19-2015 07:21 AM

Can you ping the host from the ASA ?

Jon

0 Helpful

codflanglers
Level 1
Level 1
In response to codflanglers

‎02-19-2015 07:28 AM

OK well I'm putting this down to GNS3. Already spent too long on it.

Was supposed to be on holiday and ended messing around with this. Just reloaded GNS3 after saving it all and it's lost the configs!

Thanks for your help Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to codflanglers

‎02-19-2015 07:31 AM

Okay.

Just for your info the ASA configuration looks fine now and it was doing what it was meant to be doing as you say so I would suspect the host router.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to codflanglers

‎02-19-2015 07:10 AM

When you setup your router as a host did you -

1) disable ip routing

2) add this -

"ip default-gateway 192.168.20.254"

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to codflanglers

‎02-19-2015 03:18 AM

If you are testing in GNS3 make sure your ISP router has route for that subnet with the next hop being the outside interface of your ASA.

And obviously make sure the ASA has a default route pointing back to the ISP router.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card