cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1028
Views
3
Helpful
7
Replies

proxyarp

bluesea2010
Level 5
Level 5

Hi,

As in  the picture  attached  ASA dmz  also replying  the ARP request. And the host 1 update arp cache with the  ASA interface mac address .

This stops the communication between HOST 1 and  HOST 2 .

How can i solve this issue ?

 

other related configuration for the proxyarp

 

no sysopt noproxyarp Outside

no sysopt noproxyarp DMZ

no sysopt noproxyarp Inside

 

 

object network DMZ-Network

subnet 172.16.20.0 255.255.255.0

 

no proxyarp configured in the below statement

 

nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLSALES   VPN-POOLSALES

nat (DMZ,any) source static DMZ-Network DMZ-Network destination static  VPN-POOLEMP VPN-POOLEMP

 

 

Thank you

1 Accepted Solution

Accepted Solutions

Hi,

ASA does not perform proxy arp for dynamic statement. It should not cause any issue.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

View solution in original post

7 Replies 7

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi.

Proxy ARP is enabled for your nat statements.

please add "no-proxy-arp route-lookup" keywords at the end of these statements.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Hi,

How does the  below  statement casue a problem 


nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLSALES VPN-POOLSALES
nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLEMP VPN-POOLEMP

VPN-POOLSALES

172.16.128.65-172.16.128.78 mask 255.255.255.240

VPN-POOLEMP

172.16.128.33-172.16.128.46 mask 255.255.255.240

so how does it affect 

Thank you 

Hi,

As you have 'source static DMZ-Network DMZ-Network' on your nat statment, so ASA is supposed to respond to ARP request coming on it. Therefore it affects your traffic. Also proxy arp is enabled by default 'no sysopt noproxyarp DMZ'.  this says 'no' to 'noproxyarp' which means enable proxy arp.

Hope it answers your queries.

Regards,

Akshay Rastogi

Hi Akshay 

Thank you for your answer. 

I have one more  PAT statement like below 

nat (DMZ,Outside) after-auto source dynamic DMZ-Network interface .

Does it statement also impact the traffic ? . 

What if i disable proxyarp in the  DMZ interface , does it solve the problem instead of adding  no-proxy-arp route-lookup"  each and every nat statement .

Disabling proxy arp cause another issue ? 

Thank you 

Hi,

ASA does not perform proxy arp for dynamic statement. It should not cause any issue.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Hi

Thank you . 

Just to conclude , what about the below command causes the asa respond to arp request?

object network webserver
host 172.16.20.50
object network webserver
nat (DMZ,Outside) static 2.2.2.2

Thank  you

Hi,

This statement is for traffic going to leaving Outside interface or traffic coming from Outside hosts to IP 2.2.2.2

ASA would respond to ARP request for destination IP 2.2.2.2 coming on its Outside Interface.

Regards,

Akshay Rastogi

Remember to rate helpful posts.

Review Cisco Networking for a $25 gift card