cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3152
Views
0
Helpful
14
Replies

ASA5505: ARP issues with default route not on same subnet

lap
Level 2
Level 2

Hi all,

I have some issues with my ASA5505. The ASA is connected to an ADSL modem DLINK dsl-320B. The modem is configured as Half-bridge which means that the modem handle the PPPoA connection and pass the public IP from the ISP to the ASA. The ASA gets the public IP on outside interface with a default gateway of the modem IP (private IP). Consequently the default gateway is not on the same subnet as the public IP.

Here is the drawing of the setup:

ASA-MODEM-Setup-Marselis.jpg

I also attach the config of the ASA and a log file when I try to ping from the PC 10.3.100.2 to 8.8.8.8.

As you will see in the log file it looks like the ASA is natting find but all the incoming and outgoing connections are torn down. I cannot ping anything from the PC and neither from the ASA on the Internet. Futhermore if I try to SSH to the ASA public IP 90.87.110.245 from 80.20.34.56.2 I have no connection at all.

Could the problem be that the default gateway (IP of the modem) is not on the same subnet at the public IP. However if I connect a PC directly into the modem it works. I get the public IP of the ISP with default route to modem IP 10.10.10.254

I have added an explicit permit ip any any ACL on INSIDE and OUTSIDE to troubleshoot.

Hope you can help.

Best regards,

Laurent

14 Replies 14

cadet alain
VIP Alumni
VIP Alumni

Hi,

the default-gateway should be on the same subnet as the interface.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain,

Usually it is the case but as I said if I connect my PC directly it is working although the default-gateway is not on the same subnet as the interface. There may be a way to make it work with the ASA.

ipconfig from PC connected to modem:

IPv4 Address. . . . . . . . . . . :90.87.110.245

Subnet Mask . . . . . . . . . . . : 255.255.255.252

Default Gateway . . . . . . . . . : 10.10.10.254

It is working perfectly. So I don´t thinks is the issue you said.

Any one else as an idea?

/Laurent

Hi,

could you sniff your PC nic traffic while going to internet to see how he can go to internet with a default-gateway not on same subnet.

post also route print output from pc.

Alain.

Don't forget to rate helpful posts.

Hi,

I have attached the log of the firewall in my first post, it should be enough. Moreover I have attached a complete drawing and the config of the ASA. So have a look if you want!

The issue is not on the PC as the PC is sending Internet traffic to the ASA 10.3.100.1.

Regards,

Laurent

Hi,

ok so I will let others help you then.

have a good day though.

Alain.

Don't forget to rate helpful posts.

Hi,

I have just tested this exact setup with a Cisco 877 and it is working perfectly. So I may be missing something on the ASA.

Regards,

Laurent

Hi,

I didn't noticed anything wrong in the ASA config and the log is talking about session teardown which may be  normal for icmp or udp.

That's why I wanted a packet czpture on the pc directly connected to modem to see how communication with internet was possible with the default gateway not on same subnet.So maybe then can we capture on the ASA and see what is happening and how to solve.

Alain.

Don't forget to rate helpful posts.

Hi,

I attach a Wireshark capture of ARP when PC is connected directly to the modem and everything works find.

Ipconfig from PC:

IPv4 Address. . . . . . . . . . . :90.87.110.245

Subnet Mask . . . . . . . . . . . : 255.255.255.252

Default Gateway . . . . . . . . . : 10.10.10.254

It looks like the ASA doesn´t like when a default gateway is not on same subnet, something wired with ARP may happen. It looks like when I try to ping from the ASA let´s say 8.8.8.8 packets are never coming back.

/Laurent

Hi,

ok so PC is arping for default gateway and the router is arping for the PC and both get replies.

Now what does the arp table from the ASA tell? Is it arping for the default gateway and does it get a reply?

Maybe you should do a capture on the ASA:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Alain.

Don't forget to rate helpful posts.

What a GREAT feeling! I have found what is the problem after hours of debugging and I have learned something about ASA.

The issue was that ASA doesn´t seem to accept ARP request or response from non-adjacent hosts that is to say hosts which are not on the same broadcast domain as the ASA (in this case outside IP). Here is the message that ASA is logging:

arp-in: Dropping response at outside from unsolicited non-adjacent 10.10.10.254 1c7e.e55b.7ced for 90.87.110.245 0023.5e38.9136

Although the ASA is sending ARP request find it doesn´t accept the response. I don't know if it´s possible to do some ARP inspection?

What I did to solve the problem is to add a static ARP entry on the modem for the ASA outside IP 90.87.100.245 and I did the same on ASA for the modem IP 10.10.10.254.

Everything is working greatly! So what I have learned is that a windows PC or a Cisco router will accept

ARP request or response from non-adjacent while an ASA will not. I guess that is why an ASA is more secure than a router;-)

Please rate this post if you find it useful!

/Regards

Laurent

Hi,

great you found the answer and solution.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi,

One wired thing I cannot explain is why when I am adding the following static ARP entry in the ASA:  arp outside 10.10.10.254 1c7e.e55b.7ced alias ; the ASA then respond with its own MAC 0023.5e38.9136 for ARP request of hosts trying to resolve the IP 10.10.10.254. Anyone as a guess why? Quite wired I think. I have also tried to disable proxy ARP on the ASA but no effect.

Best regards,

Laurent

Well actually I found out how to remove the proxy-arp on the static ARP entry. I just remove the alias keyword at the end of the statement:

arp outside 10.10.10.254 1c7e.e55b.7ced

Regards,

Laurent

Hi,

I'm struggling with this issue at the moment but connot get a solution working properly, can anyone please help?

I have the same DLINK DSL-320B modem and an ASA 5505 and I too get the below message....

arp-in: Dropping response at outside from unsolicited non-adjacent 192.168.1.1 bcf6.85e7.2afa for 84.92.152.190 001d.70a5.f374 

192.168.1.1 is the default gateway in place of Laurent's 10.10.10.254 address and the ASA outside interface clearly gets the public IP address, but my problem is this, I do not seem to have an option to manually add a static ARP on my modem. When I have my PC connected the ARP entry for DHCP clients shows up as the public IP assigned to the interface on my PC so I assume this is the same when connected to the outside interface of the ASA. One strange thing happens though as I add this static ARP to the ASA arp outside 192.168.1.1 bcf6.85e7.2afa, I can get the internet through the ASA for a very brief moment, I've attached the arp deug from the ASA for anyone to see as I cannot see how this works at all even very briefly, can anyone else? (this happens at some point around line 230 and line 275 I think)

P.S. notice that when I do make change the ASA reports the outside interface as having a mac address of 0000.0000.0000

Kind Regards,

Gav

Review Cisco Networking for a $25 gift card