Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4631
Views
6
Helpful
2
Replies

NAT rules and "proxy arp" - Cisco ASA5555X

Go to solution
Jon Are Endrerud
Level 3
Level 3

‎01-05-2016 06:44 AM - edited ‎03-12-2019 12:06 AM

Hey

Im migrating a large 8.2 configuration and there is a lot of cleanup and manual labor since the converted configuration is a mess.

I somewhat think I understand "proxy arp", but when testing for example a web server nat'ed from a dmz or somewhere else out on the internett it works with proxy arp enabled and also unchecked. Sometimes I encounter problems and have to enable it.

If anyone has the time to explain this to me I would be gratefull.

Thank you

Please rate as helpful, if that would be the case. Thanx
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-05-2016 08:54 AM

The ASA uses proxy arp to respond to an arp request for IPs it is using for NAT but that are not assigned to any interface.

So some examples should help -

1) you are connected to the ISP on the outside interface and your are using a /28 subnet for the connection. Two of those IPs are used for the ASA outside interface and the ISP end so that leaves you with spare IPs in that subnet to use for NAT (usually static NATs).

When traffic arrives from the internet at the ISP router to one of those IPs the router will send an arp request because it has an interface with an IP from that subnet.

The ASA will respond with proxy arp and send the mac address of the outside interface so traffic is sent to it.

2) You are connected to the ISP with a /30 and you also have a /28 for use with NAT but no IPs from that range are assigned to any interfaces either on the ASA or the ISP router.

The ISP has a route on their router for the /28 pointing to your end of the /30.

Here there is no need for proxy arp because any traffic coming to those IPs will be routed to your ASA.

The above examples are the ones you see the most in my experience however there is a third example I have come across -

3) this is where you have a /30 and a /28 and the ISP uses secondary addressing on their router interface ie. the main IP is the /30 but they also allocate one of the /28s to the interface as well.

Your ASA does not use one of the /28s on the interface but the ISP will arp for any of the /28 IPs because it is a secondary IP on their interface.

For this to work you need to enable "permit arp non-connected" on your firewall.

Note a /28 was used purely as an example, it could be anything, depending on what your ISP has assigned you.

Any queries please come back.

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-05-2016 08:54 AM

The ASA uses proxy arp to respond to an arp request for IPs it is using for NAT but that are not assigned to any interface.

So some examples should help -

1) you are connected to the ISP on the outside interface and your are using a /28 subnet for the connection. Two of those IPs are used for the ASA outside interface and the ISP end so that leaves you with spare IPs in that subnet to use for NAT (usually static NATs).

When traffic arrives from the internet at the ISP router to one of those IPs the router will send an arp request because it has an interface with an IP from that subnet.

The ASA will respond with proxy arp and send the mac address of the outside interface so traffic is sent to it.

2) You are connected to the ISP with a /30 and you also have a /28 for use with NAT but no IPs from that range are assigned to any interfaces either on the ASA or the ISP router.

The ISP has a route on their router for the /28 pointing to your end of the /30.

Here there is no need for proxy arp because any traffic coming to those IPs will be routed to your ASA.

The above examples are the ones you see the most in my experience however there is a third example I have come across -

3) this is where you have a /30 and a /28 and the ISP uses secondary addressing on their router interface ie. the main IP is the /30 but they also allocate one of the /28s to the interface as well.

Your ASA does not use one of the /28s on the interface but the ISP will arp for any of the /28 IPs because it is a secondary IP on their interface.

For this to work you need to enable "permit arp non-connected" on your firewall.

Note a /28 was used purely as an example, it could be anything, depending on what your ISP has assigned you.

Any queries please come back.

Jon

Go to solution
Jon Are Endrerud
Level 3
Level 3
In response to Jon Marshall

‎01-07-2016 12:24 PM

Thanks for the assistance. Good answer.

Please rate as helpful, if that would be the case. Thanx
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card