ProxyArp and remote access VPN.

david.wallace111 · ‎11-02-2018

We have an ASA 5500 which has proxy Arp on by default. I need to remove this from the inside and DMZ interfaces but I'm concerned about the effect this will have on the remote access VPN users as there are a number of static NAT rules set up which allows access to and from the remote VPN connections and the inside networks. They use original source and destination addresses. My understanding is we would loose all of these rules if we disable proxy ARP. I'm a novice where the ASA is concerned so I could do with some help.

Example:

nat (inside,OUTSIDE) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.200.254.0-mask24 obj-10.200.254.0-mask24
nat (inside,OUTSIDE) source static obj-172.16.0.0 obj-172.16.0.0 destination static obj-10.200.253.0-mask24 obj-10.200.253.0-mask24

Mohammed al Baqari · ‎11-02-2018

Nope. With current config connectivity won't be broken. Nonat will still
take place and it will use route lookup instead of arp.

Abheesh Kumar · ‎11-04-2018

Hi David,

ASA uses proxy arp to respond to host that uses static nat on the same network or an arp request form IPs it is using for NAT but that are not assigned to any interface.

For example, your are connected to ISP with /28 or /27 subnet, from this pool two ip's will be used one for ASA outside interface and the other for CPE. In this case remaining free IP's may be used for static nat to publish your services. When traffic arrives from internet to CPE to one of those free IP's, CPE will send an arp request to ASA because it is connected with the IP from same range. ASA will respond with proxy-arp and send the outside interface mac address, so CPE will forward the traffic to it

In your case for remote access vpn proxy-arp is not necessary for the communication, traffic will check route-lookup to reach destination.

HTH

-Abheesh