NAT with disabled interface question

tahscolony · ‎11-23-2016

Had an interesting thing happen. Programming a new ASA that is connected on the net to replace existing ASA. I created a NAT rule for an existing server that points to an interface that is disabled and has no IP on it. By all means that rule should have remained inactive, but the ASA started ARPing the MAC for that translation, and of course caused issues.

Does the ASA create the translation regardless of whether or not there are actual connections attempting to connect to it, and doesn't it need both sides of the rule enabled to do so? We don't even have routes pointing to the new ASA IP other than for the VPN pool attached to it, all default traffic points to the other ASA.

EDIT: Forgot to mention, the rule was on the new ASA for about 2 weeks without incident, when adding another rule and moving it up to the top of the list, that is when the issue occurred.

Oliver Kaiser · ‎11-23-2016

Sounds like a proxy arp issue. If the interface is up it will respond to arp queries according to your nat configuration (even without an ip address assigned to the interface). Did you move your nat rule above some generic NAT rule with proxy-arp disabled? That would explain why it only occured after moving the rule on top.

tahscolony · ‎11-23-2016

I have this gut feeling it is proxy arp related. Ran into arp issues many times before, but not with this particular type of setup. I do have a few rules with proxy arp disabled, and the rule I moved up did not, but the rule that kicked in only changed the line position, so maybe by moving that other rule up above a no proxy arp rule, it caused it to arp?

Oliver Kaiser · ‎11-23-2016

Yeah thats probably what happened, I have had the exact same issue before. You might wanna test it in the lab to verify but I am certain is is related to moving the rule before the non proxy arping rule.