12-07-2013 07:58 AM - edited 03-11-2019 08:14 PM
I just setup my first ASA, a 5515-x with 9.1. It was a straight forward setup: inside, outside, dmz and guest. A few servers with static NATs to the outside, they are in the DMZ and on the inside LAN. Everything works.
I then went through a tutorial that recommended that Proxy ARP be disabled on all interfaces. This breaks the servers with the static NAT. So I re-enable Proxy ARP on the outside interface and it works again.
Should I leave it disabled on all the other interfaces?
Thanks...Jim
Solved! Go to Solution.
12-07-2013 08:05 AM
Hi,
Most of the time I disable Proxy ARP on all the interfaces except for the external interface connected to Internet.
Naturally if you were to configure NAT between some other interface which used and IP address from a connected network as the NAT IP address then you would have to enable Proxy ARP on the interface towards which you are mapping/NATing the address.
The default setting on ASA is to have Proxy ARP enabled on all interface.
In some cases you might even be able to disable Proxy ARP on all the interface but that would require playing around with static routes so the connected routers would know to forward packets directly to ASA (and would therefore NOT use ARP request even if they had the "directly connected" route for the destination address also)
But I would imagine you could leave the external interface enabled with Proxy ARP and disable in on all others unless you happen to need to do some NAT that requires enabling in on some internal interface also (not that common in basic setups)
- Jouni
12-07-2013 08:05 AM
Hi,
Most of the time I disable Proxy ARP on all the interfaces except for the external interface connected to Internet.
Naturally if you were to configure NAT between some other interface which used and IP address from a connected network as the NAT IP address then you would have to enable Proxy ARP on the interface towards which you are mapping/NATing the address.
The default setting on ASA is to have Proxy ARP enabled on all interface.
In some cases you might even be able to disable Proxy ARP on all the interface but that would require playing around with static routes so the connected routers would know to forward packets directly to ASA (and would therefore NOT use ARP request even if they had the "directly connected" route for the destination address also)
But I would imagine you could leave the external interface enabled with Proxy ARP and disable in on all others unless you happen to need to do some NAT that requires enabling in on some internal interface also (not that common in basic setups)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide