Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
0
Helpful
1
Replies

Issues with ARP on 5506

mumbles202
Level 5
Level 5

‎09-24-2018 02:43 PM - edited ‎03-12-2019 04:12 AM

Working on a network where the 5506's outside interface is w/in a /26 (ASA is A.B.C.32 w/ a default gateway of A.B.C.1, which is the ip of a router internally).  The /26 is broken down in a way that the users of the ASA (org 1) are allowed to use .32-60 with another party (org 2) using the lower range for their firewall.  The LAN segments behind the ASA and those of the other party do tie into a common backbone to connect closets, but the interfaces facing each respective organization should be isolated.  

 

The other day I make some configuration changes to use Eth1/5 that was previously shutdown, connect it to an access port on the switch, then nat a newly created subnet (with the ip assigned to eth 1/5 as it's gateway) to NAT to A.B.C.36.  While everything appeared to be working normally, the administrator of the larger /26 network advised that the ASA was creating arp entries for the entire /26 block using the mac address of Eth1/5(even after the cable was physically disconnected).  I had added sysopt noproxyarp newsegment to the ASA configuration at the time of the changes, but upon review of the pre-existing configuration and noting that the command wasn't in place for any of the other interfaces I removed it.  

 

The only way I was able to remedy the situation was to revert all the configuration changes I had made.  I'd like to put the changes back into production but want to make sure I don't have the issue again. 

Labels:
0 Helpful
1 Reply 1

Ajay Saini
Level 7
Level 7

‎09-25-2018 11:11 PM

Hello,

 

I think you need to add more info including some rought diagram for someone to analyze what happened. For sure, the issue that happened was related to proxy arp behavior of ASA and that could be due to misconfigured NAT statement. 

 

So, org A and org B have same subnet which is /26, correct?

 

and for the new interface that you created 1/5 was that on internal segment or external side? Its not clear how NAT was created and what was the internal subnet. I am assuming that 1/5 was an internal subnet where a host was added and a NAT was created for that host. So, in that case how did the arp of an internal interface travel to outside interface unless there is some integration, like same switch etc.

 

Please provide the config hiding the confidential info and also the NAT which created issue.

 

HTH
AJ

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card