07-12-2010 01:10 AM - edited 03-11-2019 11:10 AM
Hello,
I use a cisco ASA firewall in a L3 configuration.
Result of the command: "show running-config sysopt"
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
The problem is that the ASA is answering to all arp requests on the inside lan!
Is this a default setting for the ASA to answer all arp requests?
Do i have to disable this and how?
Thak you,
Laszlo
Solved! Go to Solution.
07-12-2010 02:07 AM
You are right. Proxy arp is enabled by default.
Here is how to disable proxy arp for the inside interface:
sysopt noproxyarp inside
Here is the command for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975
Hope that helps.
07-12-2010 06:38 AM
Hello,
To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.
Hope this helps.
Regards,
NT
07-12-2010 07:54 AM
Hello,
If you are using the inside interface IP for overloading, then it should not be a problem.
global (inside) 1 interface
If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like
global (inside) 1 10.1.1.100
and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:
arp inside 10.1.1.100
This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.
Hope this helps.
Regards,
NT
07-12-2010 02:07 AM
You are right. Proxy arp is enabled by default.
Here is how to disable proxy arp for the inside interface:
sysopt noproxyarp inside
Here is the command for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517975
Hope that helps.
07-12-2010 06:38 AM
Hello,
To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.
Hope this helps.
Regards,
NT
07-12-2010 07:14 AM
I only overload the inside lan.
If i disable proxy arp is this goin to work.
Thak you,
laszlo
07-12-2010 07:54 AM
Hello,
If you are using the inside interface IP for overloading, then it should not be a problem.
global (inside) 1 interface
If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like
global (inside) 1 10.1.1.100
and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:
arp inside 10.1.1.100
This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide