Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1296
Views
0
Helpful
1
Replies

Proxy ARP defaults

Go to solution
James Nowotny
Level 1
Level 1

‎12-07-2013 07:58 AM - edited ‎03-11-2019 08:14 PM

I just setup my first ASA, a 5515-x with 9.1.  It was a straight forward setup: inside, outside, dmz and guest.  A few servers with static NATs to the outside, they are in the DMZ and on the inside LAN. Everything works.

I then went through a tutorial that recommended that Proxy ARP be disabled on all interfaces. This breaks the servers with the static NAT. So I re-enable Proxy ARP on the outside interface and it works again.

Should I leave it disabled on all the other interfaces?

Thanks...Jim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-07-2013 08:05 AM

Hi,

Most of the time I disable Proxy ARP on all the interfaces except for the external interface connected to Internet.

Naturally if you were to configure NAT between some other interface which used and IP address from a connected network as the NAT IP address then you would have to enable Proxy ARP on the interface towards which you are mapping/NATing the address.

The default setting on ASA is to have Proxy ARP enabled on all interface.

In some cases you might even be able to disable Proxy ARP on all the interface but that would require playing around with static routes so the connected routers would know to forward packets directly to ASA (and would therefore NOT use ARP request even if they had the "directly connected" route for the destination address also)

But I would imagine you could leave the external interface enabled with Proxy ARP and disable in on all others unless you happen to need to do some NAT that requires enabling in on some internal interface also (not that common in basic setups)

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-07-2013 08:05 AM

Hi,

Most of the time I disable Proxy ARP on all the interfaces except for the external interface connected to Internet.

Naturally if you were to configure NAT between some other interface which used and IP address from a connected network as the NAT IP address then you would have to enable Proxy ARP on the interface towards which you are mapping/NATing the address.

The default setting on ASA is to have Proxy ARP enabled on all interface.

In some cases you might even be able to disable Proxy ARP on all the interface but that would require playing around with static routes so the connected routers would know to forward packets directly to ASA (and would therefore NOT use ARP request even if they had the "directly connected" route for the destination address also)

But I would imagine you could leave the external interface enabled with Proxy ARP and disable in on all others unless you happen to need to do some NAT that requires enabling in on some internal interface also (not that common in basic setups)

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card