Hi Jim,

Jim Kerr · ‎02-04-2016

Hi All

I'm using a Cisco ASA 5550 firewall.

I have an external subnet on the internet eg 200.1.1.0/24 and have that subnet routed into our network. Please see the attached diagram.

200.1.1.2 is only used as the external facing management address of firewall A (that is all the subnet is currently used for) and I want to use the rest of the external subnet to access servers that sit behind Firewall B.

The external subnet eg is on Vlan 2 and firewall B has an outside interface address of 200.1.1.3.

I want to be able to route traffic with a destination address of 200.1.1.4 & 200.1.1.5 to my internal servers.

I will have NAT in place to translate the external addresses to the internal addresses of the servers.

My query is mainly around how will the traffic know to go to my firewall ?

So will traffic destined for 200.1.1.4 & 200.1.1.5 be directed to the external interface on my firewall by default - will ARP just do the work or will I have to add a specific route to the router - ie saying to get to 200.1.1.4 and 200.1.1.5 go via the external interface on my firewall ?

thanks

Philip D'Ath · ‎02-05-2016

You configure NAT so that 200.1.1.4 & 200.1.1.5 are translated to the inside IP addresses of your server.

When the router wants to forward a packet to 200.1.1.4 or 200.1.1.5 it will send an ARP query and your firewall will respond, since it has a matching NAT entry configured.

Shivapramod M · ‎02-05-2016

Hi Jim,

If the NAT IP and the interface IP are in the same subnet then the firewall will do the proxy arp.

You can verify whether the interface allows the proxy arp or not by running "show run all sysopt".

You must have the command "no sysopt noproxyarp <interface name>" then the interface will send the proxy arp.

If the NAT IP and the interface IP are in different subnet then you can configure the command "arp permit-nonconnected"

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Firewall Routing