10-11-2013 11:33 AM - edited 03-11-2019 07:51 PM
Hi,
Just a clarification on Proxy ARP on ASAs.
Scenario:
Web Server 10.1.1.1 -- in ---- ASA ---- out ----- Internet
Let's say the WWW server has real IP 10.1.1.1 and static NAT 200.1.1.2
ASA's outside IP is 200.1.1.1
When traffic comes from the Internet to the NAT'ed IP of the Web Server (200.1.1.2), the ASA has to respond with it's own MAC (Proxy ARP).
If disabling Proxy ARP on the outside interface, then traffic will never reach the Web Server from the Internet (unless there's a static ARP entry in the Gateway pointing to the ASA's outside interface).
Same thing happens with dynamic NAT.
Bottom line:
I am looking to understand this correctly.
Thank you very much,
Federico.
Solved! Go to Solution.
10-11-2013 03:01 PM
Hi,
No problem,
Let us know how the situation evolves. Would be interesting to know what is causing the problems. If this is caused by something intentional action rather than normal network behaviour (considering the environment)
- Jouni
10-11-2013 03:15 PM
Will do.
Thanks,
10-15-2013 09:21 AM
One more thing:
With this configuration:
global (LAN) 1 10.1.1.100
nat (DMZ) 1 192.168.10.0 255.255.255.0 outside
static (LAN,DMZ) 192.168.1.200 10.10.10.200
We said that the ASA requires Proxy ARP in both LAN & DMZ in order to be able to respond with it's own MAC address to requests being send to the NATed IP.
Question:
What about if the next L3 device on both interfaces have a static route pointing to the ASA?
For example:
ip route 192.168.1.200 255.255.255.255 ASA-DMZ-IP
ip route 10.1.1.100 255.255.255.0 ASA-LAN-IP
Shouldn't this take care that all packets WILL be sent to the ASA (thus removing the need for the ASA to do Proxy ARP)?
Federico.
10-15-2013 09:42 AM
Hi,
Well if we consider the example setup when the LAN network is 10.10.10.0/24 and the DMZ network is 192.168.10.0/24 and we are NATing DMZ IPs to the LAN network addresses and LAN network addresses to DMZ network addresses...
Then it still doesnt remove the fact that the connected L3 device will see this network as directly connected (as we are NATing to the connected network address space from behind the other interface of the ASA). And directly connected network naturally overrides any static route for the same network and therefore the device will ARP for the MAC address of the destination address.
Whether there is some way around this behaviour I am not sure
- Jouni
10-15-2013 10:38 AM
Jouni,
Correct me if I'm wrong but if you have a more specific route it will indeed overide the directly connected.
Say you have directly connected 10.0.0.0/24
If you enter a static route to 10.0.0.5/32, then most specific route wins and therefore packets are going to be sent to the ASA which eliminates the need for Proxy ARP on that interface?
Federico.
10-15-2013 11:03 AM
Ah,
Seems both the ASA and the Cisco Router will allow you to input such route.
I tested this on my C1841 Router connected to the ASA LAN interface
My link network between the Router and ASA is 10.0.10.0/24
I check the routing table for destination 10.0.10.100
LAN-ROUTER#sh ip route 10.0.10.100
Routing entry for 10.0.10.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via FastEthernet0/0
Route metric is 0, traffic share count is 1
I then add route and check the above again
LAN-ROUTER(config)#ip route 10.0.10.100 255.255.255.255 10.0.10.2
LAN-ROUTER#sh ip route 10.0.10.100
Routing entry for 10.0.10.100/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.0.10.2
Route metric is 0, traffic share count is 1
I then configure a Static NAT for a WLAN device behind my ASA
interface Vlan1
description LAN
nameif LAN
security-level 100
ip address 10.0.10.2 255.255.255.0
interface Vlan20
description WLAN
nameif WLAN
security-level 100
ip address 10.0.255.1 255.255.255.0
object network WLAN-NAT
host 10.0.255.10
nat (WLAN,LAN) static 10.0.10.100
I then ping this from the router
LAN-ROUTER#ping 10.0.10.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/45/212 ms
So seems to work.
I was personally not aware that Static Route would override a connected route.
- Jouni
10-15-2013 11:15 AM
You've been a great deal of help Jouni!
Thank you very much again!
Federico.
10-15-2013 11:20 AM
Hi,
Did some searches on Google.
Here another thread which used the same type of configurations.
https://supportforums.cisco.com/thread/141546
I didnt really know that this was possible. I am not sure where it has stuck with me but I have always been under the impression that connected route could not be overriden. Atleast by any such normal means as static routes.
I guess you learn something new every now and then. And that is one of the reasons I am here at CSC constantly
- Jouni
10-15-2013 11:23 AM
Jouni,
The reason directed routes always wins is because the AD = 0
But the real decision is always made on more specific. "Most specific routing always wins"
So, if you have to decide between a directly connected route and anything else, the directly connected will always wins (as long as they are the exact same route).
But if you have a more specific route (static route), then it's a complete different route and it's not even compared to the directly connected ;-)
Cheers,
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide