cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3484
Views
0
Helpful
8
Replies

Replacing ASA 5510 and ARP

jtadamofod81
Level 1
Level 1

Hello Support,

Probably an easy question and may be buried within these forums (but I can't find it).

I'm attempting to replace a 5510 with another 5510 and having all sorts of difficulty.  Devices the PAT against the outside interface have no problems getting out, but anything with a 1:1 NAT cannot.  Screams of an ARP issue; however rebooting the switch and the firewall have no effect.  Is there something else I could potentially be missing.  Configurations are completely mirrored.  And the firewall the I'm trying to replace has no issues getting out with 1 to 1 (static) nats.  Any ideas?

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I assume that you are talking about an L3 switch that you are booting along with the ASA?

If not then where is the L3 gateway of your ASA and who manages that device?

One thing that comes to mind related to ARP is the fact that if you are using multiple public subnets on your ASA. For example /30 for the link network between your site and the ISP and some /28 as a public subnet for Static NAT purposes. Then you might run into problems IF your software changed to 8.4(3) or something above.

If ARP is the problem then there is naturally the option that you actually check out the original ASAs interfaces MAC address (connected to the ISP) and configure that same MAC address to the new ASAs WAN interface towards the ISP.

You can actually go under the interface and issue the MAC address with the command

mac-address 0000.1111.2222

Also, naturally when it comes to firewall rules and configurations you can always use the "packet-tracer" command to simulate packets coming from your LAN to the WAN or from WAN to the LAN and see that the test goes through completely.

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I assume that you are talking about an L3 switch that you are booting along with the ASA?

If not then where is the L3 gateway of your ASA and who manages that device?

One thing that comes to mind related to ARP is the fact that if you are using multiple public subnets on your ASA. For example /30 for the link network between your site and the ISP and some /28 as a public subnet for Static NAT purposes. Then you might run into problems IF your software changed to 8.4(3) or something above.

If ARP is the problem then there is naturally the option that you actually check out the original ASAs interfaces MAC address (connected to the ISP) and configure that same MAC address to the new ASAs WAN interface towards the ISP.

You can actually go under the interface and issue the MAC address with the command

mac-address 0000.1111.2222

Also, naturally when it comes to firewall rules and configurations you can always use the "packet-tracer" command to simulate packets coming from your LAN to the WAN or from WAN to the LAN and see that the test goes through completely.

- Jouni

Journi,

As always, thanks for the quick reply. 

We have no access to the upstream device.  We have two firewalls.  The old one is running 7.2 and the new one is running 8.2.  We are trying to migrate to the new one and update the old without downtime.  So if on the new one, I enter the mac-address command on the Outside interface, this should resolve the issue (if an ARP issue) ?  Would I have to do that on the inside as well?

Hi,

Well since we are talking about your own network then I think you can just clear the ARP on any of the routers connect to your ASA.

Naturally changing the MAC address with the command can be an option also.

- Jouni

Hello Journi,

We did clear the ARP tables on the switches behind the firewall and even rebooted them.  I didn't clear the ARP table on the new firewall, but would we have to?  Hard coding the MAC is definitely an option, but you wouldn't think swapping out a firewall would be so difficult. 

Hi,

If you are talking about normal L2 switches with no routing capabilities then rebooting them might not do anything. I guess usually if you replace a device that is connected directly to some routers then the simple fact that the interface will go down is enough to "flush" the ARP table on the connected devices and the replacement of the device goes smoothly.

If you ASA is connected to the ISP through a L2 switch there is always a chance that the rebooting of the switch wont bring down any link on the ISP side and remove the old ARP table information.

I am also not quite sure if and when the ASA uses Gratuitous ARP which is meant to update the ARP table of the connected devices.

But I would have to say that its not that uncommon that some people face problem with replacing devices and the ISP still having the old ARP information on their end. As I personally work for the ISP and usually am the person who handles the firewall replacement, its pretty easy to handle both the ISP side and the customer side.

Usually the the firewall that I replace is also connected directly to some LAN router so the routers interfaces naturally go down during the device switch and I wont have to resort to any ARP clearing on the LAN side.

Even though it might be basic information, I am actually not sure how long the basic PC keeps the ARP table information. Though I would imagine Google might tell me pretty quickly

- Jouni

Oh and yes,

When you change the MAC address of the new ASAs WAN interface with the command so that it would have the same MAC address than the old ASA unit THEN there should be no problem related to the ARP atleast as even if the ISP had still the old information in the ARP table it would still match with the IP/MAC on the ASA.

- Jouni

Journi,

Another question is why would this not affect devices behind the firewall that were patting against the global interface?  Why would this solely affect static NATs?

Hi,

It would almost sound like Proxy ARP is disabled on the WAN interface of the ASA?

This would produce a situation where the ASA would only answer to ARP requests that are requesting its interface IP addresses MAC address but not for the IP/MAC of any other Static NAT or any other kind of NAT/PAT that uses some other public IP address other than the interface IP address.

In your software level there should be no problem related to extra subnets and their ARP behaviour as you are still below the 8.4(x) software levels.

If there is some problems with the device switch I would suggest having someone on the ISP side check their side during the device switch.

- Jouni

Review Cisco Networking for a $25 gift card