Solved: Clarification on ASA - Page 2

Federico Coto Fajardo · ‎10-11-2013

Hi,

Just a clarification on Proxy ARP on ASAs.

Scenario:

Web Server 10.1.1.1 -- in ---- ASA ---- out ----- Internet

Let's say the WWW server has real IP 10.1.1.1 and static NAT 200.1.1.2

ASA's outside IP is 200.1.1.1

When traffic comes from the Internet to the NAT'ed IP of the Web Server (200.1.1.2), the ASA has to respond with it's own MAC (Proxy ARP).

If disabling Proxy ARP on the outside interface, then traffic will never reach the Web Server from the Internet (unless there's a static ARP entry in the Gateway pointing to the ASA's outside interface).

Same thing happens with dynamic NAT.

Bottom line:

Can't disable Proxy ARP on ASA if using NAT (to present itself as another IP to another interface), unless there's a static ARP entry on the Next Hop.
Can safely disable Proxy ARP on the inside interface (unless there's NAT to present the inside network as something else to another interface)?

I am looking to understand this correctly.

Thank you very much,

Federico.

Jouni Forss · ‎10-11-2013

Hi,

No problem,

Let us know how the situation evolves. Would be interesting to know what is causing the problems. If this is caused by something intentional action rather than normal network behaviour (considering the environment)

- Jouni

Federico Coto Fajardo · ‎10-11-2013

Will do.

Thanks,

Federico Coto Fajardo · ‎10-15-2013

One more thing:

With this configuration:

global (LAN) 1 10.1.1.100

nat (DMZ) 1 192.168.10.0 255.255.255.0 outside

static (LAN,DMZ) 192.168.1.200 10.10.10.200

We said that the ASA requires Proxy ARP in both LAN & DMZ in order to be able to respond with it's own MAC address to requests being send to the NATed IP.

Question:

What about if the next L3 device on both interfaces have a static route pointing to the ASA?

For example:

ip route 192.168.1.200 255.255.255.255 ASA-DMZ-IP

ip route 10.1.1.100 255.255.255.0 ASA-LAN-IP

Shouldn't this take care that all packets WILL be sent to the ASA (thus removing the need for the ASA to do Proxy ARP)?

Federico.

Jouni Forss · ‎10-15-2013

Hi,

Well if we consider the example setup when the LAN network is 10.10.10.0/24 and the DMZ network is 192.168.10.0/24 and we are NATing DMZ IPs to the LAN network addresses and LAN network addresses to DMZ network addresses...

Then it still doesnt remove the fact that the connected L3 device will see this network as directly connected (as we are NATing to the connected network address space from behind the other interface of the ASA). And directly connected network naturally overrides any static route for the same network and therefore the device will ARP for the MAC address of the destination address.

Whether there is some way around this behaviour I am not sure

- Jouni

Federico Coto Fajardo · ‎10-15-2013

Jouni,

Correct me if I'm wrong but if you have a more specific route it will indeed overide the directly connected.

Say you have directly connected 10.0.0.0/24

If you enter a static route to 10.0.0.5/32, then most specific route wins and therefore packets are going to be sent to the ASA which eliminates the need for Proxy ARP on that interface?

Federico.

Jouni Forss · ‎10-15-2013

Ah,

Seems both the ASA and the Cisco Router will allow you to input such route.

I tested this on my C1841 Router connected to the ASA LAN interface

My link network between the Router and ASA is 10.0.10.0/24

I check the routing table for destination 10.0.10.100

LAN-ROUTER#sh ip route 10.0.10.100

Routing entry for 10.0.10.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Routing Descriptor Blocks:

* directly connected, via FastEthernet0/0

Route metric is 0, traffic share count is 1

I then add route and check the above again

LAN-ROUTER(config)#ip route 10.0.10.100 255.255.255.255 10.0.10.2

LAN-ROUTER#sh ip route 10.0.10.100

Routing entry for 10.0.10.100/32

Known via "static", distance 1, metric 0

Routing Descriptor Blocks:

* 10.0.10.2

Route metric is 0, traffic share count is 1

I then configure a Static NAT for a WLAN device behind my ASA

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.255.0

interface Vlan20

description WLAN

nameif WLAN

security-level 100

ip address 10.0.255.1 255.255.255.0

object network WLAN-NAT

host 10.0.255.10

nat (WLAN,LAN) static 10.0.10.100

I then ping this from the router

LAN-ROUTER#ping 10.0.10.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.10.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/45/212 ms

So seems to work.

I was personally not aware that Static Route would override a connected route.

- Jouni

Federico Coto Fajardo · ‎10-15-2013

You've been a great deal of help Jouni!

Thank you very much again!

Federico.

Jouni Forss · ‎10-15-2013

Hi,

Did some searches on Google.

Here another thread which used the same type of configurations.

https://supportforums.cisco.com/thread/141546

I didnt really know that this was possible. I am not sure where it has stuck with me but I have always been under the impression that connected route could not be overriden. Atleast by any such normal means as static routes.

I guess you learn something new every now and then. And that is one of the reasons I am here at CSC constantly

- Jouni

Federico Coto Fajardo · ‎10-15-2013

Jouni,

The reason directed routes always wins is because the AD = 0

But the real decision is always made on more specific. "Most specific routing always wins"

So, if you have to decide between a directly connected route and anything else, the directly connected will always wins (as long as they are the exact same route).

But if you have a more specific route (static route), then it's a complete different route and it's not even compared to the directly connected ;-)

Cheers,

Federico.