Hi NT

Thanks for detailed explaination !

1. As per your statement " This will ensure that the firewall will respond to those ARP requests with the configured MAC which is its own MAC "

Consider that the Proxy ARP is disabled on outside . Here what you mean to say is that i need to put the Translated address (of internal server) and the corresponding MAC (internal server machine MAC) in the ASA ? Right ?

2. I know that "global" , will also do Proxy ARP .Eg: when inside user access internet etc . However i have seen examples where we need to disable the

proxyarp for inside (eg: when we are configuring U Turning from inside to inside ) .Hence in that case , wont the internet connectivity get hampered . If not , can u explain me how ?

1. As per your statement " This will ensure that the firewall will respond to those ARP requests with the configured MAC which is its own MAC "

Consider that the Proxy ARP is disabled on outside . Here what you mean to say is that i need to put the Translated address (of internal server) and the corresponding MAC (internal server machine MAC) in the ASA ? Right ?

Ankur,

What NT is trying to say is that for example if you have a static line like this.

192.168.1.1----(a.a.a)ASA(b.b.b)---router---internet

static(i,o) 1.1.1.1 192.168.1.1 net 255.255.255.255

1.1.1.1 - is the translated address.  People in the internet will access the website on the 192.168.1.1 host using the 1.1.1.1 correct?

Now, since 1.1.1.1 is the global address, ASA will proxy arp for it. Meaning it will let the router know to send packets destined to 1.1.1.1 to its MAC address b.b.b which is the ASA's outside interface mac address.  When you look in the router's arp cache you will see the mapping.

1.1.1.1 =====> b.b.b

2. I know that "global" , will also do Proxy ARP .Eg: when inside user access internet etc . However i have seen examples where we need to disable the

proxyarp for inside (eg: when we are configuring U Turning from inside to inside ) .Hence in that case , wont the internet connectivity get hampered . If not , can u explain me how ?

The only time when you want proxy arp turned off is the condition that you mentioned above.

static (i,i) 192.168.2.0 192.168.2.0 net 255.255.255.0

Now 192.168.2.0 is the global address for which the ASA will proxy arp and start saying everyone send me packets to anyone who belongs to 192.168.2.0/24 network.

Now, it will make hosts in the 192.168.2.0/24 network talking among themselves.  They will all have the ASA's MAC address even to talk among themselves.

This is incorrect so, you need to turn off proxy arp on the inside interface so the hosts can learn each other's mac address properly.

I hope this is clear.

-KS

Hi kusankar,

Thanks for replying

1. What i mean to say over here is that if Proxy ARP is turned off on the Outside interface , we need to manually enter the ARP entries (as NT said )

Hence while configuring static ARP entry on the outside interface for all the translated addresses , do i need to put the MAC of ASA external interface for those translated addresses ?

2. I know regarding the Hairpinning for inside to inside , however my question was whether the traffic for the internet (inside to outside) keep on flowing correctly or not , as you know that the Firewall will Proxy ARP for the destination and when it will see " sysopt noproxyarp inside " configured , it may not do the Proxy ARP .

1. What i mean to say over here is that if Proxy ARP is turned off on the Outside interface , we need to manually enter the ARP entries (as NT said )

Hence while configuring static ARP entry on the outside interface for all the translated addresses , do i need to put the MAC of ASA external interface for those translated addresses ?

YES. You need to manually configure a static arp on the router for the translated address pointing to the ASA's outside interface MAC. Follow the toplogy in my previous post. I even included the mac address on that post.

2. I know regarding the Hairpinning for inside to inside , however my question was whether the traffic for the internet (inside to outside) keep on flowing correctly or not , as you know that the Firewall will Proxy ARP for the destination and when it will see " sysopt noproxyarp inside " configured , it may not do the Proxy ARP .

For the ASA to relay the response traffic, it doesn't have to proxy arp.  It will just arp and the host that has the IP address will respond with its mac address and the ASA will send the packet to that host if directly connected to the same subnet otherwise the ASA will just send the packet to the inside layer 3 device and it will do what it is supposed to, to send the packet to the correct host.

-KS

Hi kusankar

thanks for replying again , i am replying to your answers as follows

1) I agree that we need to manually configure a static arp on the router for the translated address , pointing to the ASA's outside interface MAC.Other than that do we need to configure anything on the ASA as well ? Why i am asking this is , NT has mentioned previously , the following .can u please elaborate on the same ?

"Alternatively, if the number of NAT entries is minimal, you could turn-off the proxy-ARP on the outside interface and then configure static ARP entry on the outside interface for all the translated addresses:"

arp outside alias

Here i just want to understand the part highlighted in bold , if this needs to be configured on ASA and how , also it would be helpful if you can give example of arp outside alias

2) I believe that my question is not clear over here . What i want to ask is whether the internet traffic will get hampered or not (inside to outside ) , if i have configured "sysopt noproxyarp inside " .The reason for this is that when the inside user 192.168.1.1 will try to send a packet to www.google.com , the inside MAC of the ASA will do proxy ARP for the destination www.google.com (we can see the same in the packet captures as well) .If Proxy ARP is

disabled , why wouldnt this traffic get hampered ?

I believe NT meant to say

configure static ARP entry on the outside ROUTER for all the translated addresses pointing to the ASA's outside interface.

Regarding your second question, I don't understand why the ASA would proxy arp for google.com? The ASA will proxy arp for all the addresses it owns (global and static).

I am lost here. What does the nat statement look like? Are you basing this question off of outside nat that you have configured?

For each interface, list the sourc and destination IP address. Write them down and see how the ASA will process it.

-KS

Hi kusankar

Continuing with your last post , can you please tell me that for the Outbound traffic (consider i am browsing google.com) , what will be the Destination MAC Address for the google.com Public IP in the Packet captures taken on the ASA . I believe it will be the inside interface MAC of the ASA . This is what i exactly mean to say . Please share your thoughts .

Excellent explanation kusankar !!! Also let me know when is global used for proxyarp ?

Hi kusankar ,

Please let me know when is global used for proxyarp ?

Ankur,

The firewall by default will proxy arp for all the IP addresses that it owns.

nat (inside) 1 10.10.10.0 255.255.255.0

global (outside) 1 2.2.2.2

or

static (in,out) 2.2.2.3 10.10.10.2

Here the firewall will proxy arp on the outside interface for both 2.2.2.2 and 2.2.2.3 with its outside interface mac.

It is the same with other interfaces as well.

-KS

Hi ankur,

I need to configure inbound and an outbound NAT.

for eg inbound NAT 1.1.1.1 which will be translated to 10.10.10.10

and for outbound NAT 10.10.10.10 which should be translated to 1.1.1.1

now I need to add a proxy ARP )(ie:2.2.2.2-outside interface IP) which MAC address I need to add it on the proxy mac address and on which device firepower or on the firewalls ?

Thanks

Ram