Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10775
Views
10
Helpful
1
Replies

Disabling Proxy ARP

Go to solution
Mitchell Theriot
Level 1
Level 1

‎05-20-2013 07:00 AM - edited ‎03-11-2019 06:46 PM

We just recently upgraded a 5540 ASA running 8.2 to a 5555 running 8.6.  I have a question concerning disabling proxy ARP with static nat rules in place.  We have several instance where devices in a dmz have a static nat entry to the outside and a static nat entry to the inside using the same IP.  My question is if we disable proxy arp on the inside interface would that cause device on the inside not to be able to reach the device in the dmz? From what I have seen you don't want to disable it on the outside interface due to all the static nat translations.  But we have some that are have nat translation going to the inside as well.  How does proxy arp come into play there?  Below is a diagram of an example of the setup I a referring to.  This is on the new 5555 running 8.6:

ASA NAT Example.gif                    

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-20-2013 07:06 AM

Hi,

So seems you are doing Static NAT to the same public IP address towards "outside" and "inside" on the ASA firewall.

Since the NAT done towards "inside" IS NOT using the address range directly connected to the "inside" interface, you dont need Proxy ARP. This is because ARP will only be used when a device on the "inside" is trying to connect to a device that is part of the same network.

As long as the destination IP address is not from some network belonging to the device that has received the packet the device in question will continue to forward the packet according to its routing table (whether we are talking about PC/Router/Firewall). As soon as the packet reaches a device that has the destination IP address as a connected network, the device will ARP for the corresponding MAC address of the destination IP address

Since the destination IP address is from another network than the "inside" user the host will simply direct traffic towards its default gateway. This can either be a router before the ASA OR the ASA itself.

So as long as you are NATing to different subnet/network/address-range compared to the one configured on the "inside" interface then you should not need the Proxy ARP

Hope I made sense and hope it helps

Remember to mark the reply as the correct answer if it answered your question. And/Or rate helpfull answers.

Ask more if needed.

- Jouni

View solution in original post

1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-20-2013 07:06 AM

Hi,

So seems you are doing Static NAT to the same public IP address towards "outside" and "inside" on the ASA firewall.

Since the NAT done towards "inside" IS NOT using the address range directly connected to the "inside" interface, you dont need Proxy ARP. This is because ARP will only be used when a device on the "inside" is trying to connect to a device that is part of the same network.

As long as the destination IP address is not from some network belonging to the device that has received the packet the device in question will continue to forward the packet according to its routing table (whether we are talking about PC/Router/Firewall). As soon as the packet reaches a device that has the destination IP address as a connected network, the device will ARP for the corresponding MAC address of the destination IP address

Since the destination IP address is from another network than the "inside" user the host will simply direct traffic towards its default gateway. This can either be a router before the ASA OR the ASA itself.

So as long as you are NATing to different subnet/network/address-range compared to the one configured on the "inside" interface then you should not need the Proxy ARP

Hope I made sense and hope it helps

Remember to mark the reply as the correct answer if it answered your question. And/Or rate helpfull answers.

Ask more if needed.

- Jouni

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card