Hi,

How does the  below  statement casue a problem 

nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLSALES VPN-POOLSALES
nat (DMZ,any) source static DMZ-Network DMZ-Network destination static VPN-POOLEMP VPN-POOLEMP

VPN-POOLSALES

172.16.128.65-172.16.128.78 mask 255.255.255.240

VPN-POOLEMP

172.16.128.33-172.16.128.46 mask 255.255.255.240

so how does it affect 

Thank you 

Hi,

As you have 'source static DMZ-Network DMZ-Network' on your nat statment, so ASA is supposed to respond to ARP request coming on it. Therefore it affects your traffic. Also proxy arp is enabled by default 'no sysopt noproxyarp DMZ'.  this says 'no' to 'noproxyarp' which means enable proxy arp.

Hope it answers your queries.

Regards,

Akshay Rastogi

Hi Akshay 

Thank you for your answer. 

I have one more  PAT statement like below 

nat (DMZ,Outside) after-auto source dynamic DMZ-Network interface .

Does it statement also impact the traffic ? . 

What if i disable proxyarp in the  DMZ interface , does it solve the problem instead of adding  no-proxy-arp route-lookup"  each and every nat statement .

Disabling proxy arp cause another issue ? 

Thank you 

Hi

Thank you . 

Just to conclude , what about the below command causes the asa respond to arp request?

object network webserver
host 172.16.20.50
object network webserver
nat (DMZ,Outside) static 2.2.2.2

Thank  you

Hi,

This statement is for traffic going to leaving Outside interface or traffic coming from Outside hosts to IP 2.2.2.2

ASA would respond to ARP request for destination IP 2.2.2.2 coming on its Outside Interface.

Regards,

Akshay Rastogi

Remember to rate helpful posts.