10-07-2020 06:34 AM - edited 10-07-2020 12:27 PM
I am setting up a small network, like below. Two ASA firewalls are setup in Parallel to each other, one provides Anyconnect VPN and the other is the edge firewall. Both ASA outside and inside ports have proxy arp enabled and I can not disable them due to the NAT requirements. So will the two ASA fighting each other to response to the ARP for 10.10.2.0/29 causing connectivity issues for Internet Inbound traffic?
Solved! Go to Solution.
10-10-2020 03:05 AM - edited 10-10-2020 03:09 AM
Say someone is trying to connect to anyconnect VPN hosted on VPN ASA, the Internet Router NAT/Port-forward the Public IP/443 to the 10.10.2.1/443.
ok user-x is connected/working from home and connect to anyconnect module. now user-x is connected to VPN-ASA Firewall. let say user-x type in this in anyconnect https://123.123.123.123:443 it request come to Internet Router. as NAT/Port-forwarding is configured the router will sent the traffic to nat-inside host (this will be your VPN-ASA). now if everthing is configured accordingly user-x anyconnect module is connected and working.
When internet router tries to resolve the MAC address of the 10.10.2.1 in order to forward the traffic, will Edge ASA outside interface reply the ARP request because of the arp proxy and "steal" the traffic causing connectivity failure?
1. If VPN-ASA outside default-gw is 10.10.2.6 it will forward the traffic which is not know in its routing table up-link.
2. if you configured a split tunnel and you have nat for this VPN-ASA-Fw object network Anyconnect-pool nat(out,out) dynamci interface.
3. when Router send packet to down stream ASA-VPN 10.10.2.1 as it has the arp cache entry in its table. and same apply to ASA-VPN. you can confirm this by using a command on Router internet to check the arp table its builidng.
have a read on this document https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html
Consider an Ethernet segment which has devices attached in the 10.0.1.x/24 network. The ASA's inside interface is addressed at 10.0.1.1. Whenever an ARP request for 10.0.1.47 is initiated from 10.0.1.48, the ASA replies with an ARP reply that contains its own interface hardware address. Further investigation reveals that the ASA replies to requests for multiple IP addresses in the subnet.
in your case 10.10.2.1 and 10.10.2.5 are not talking to each other. where as they need to talk to internet router 10.10.2.6. therefore this does not apply on your scenario.
10-07-2020 11:36 AM
if client-x is on inside network and its default gateway is at Edge ASA. Going out to outside (i assume Nat is configured on ASA-Edge) when the source address inside going to outside Edge ASA will check the arp table against the ip address of its nex hop and forward packet to Internet router.
now if you have a static nat configured on the Edge ASA and since its not using public ip address in that case you doing all the nat statement on Internet router (or doing any port-forwarding).
you have to be more specific what you trying to do or explain in more detail with packet flow walk.
10-07-2020 12:26 PM
I should be more clear on what I am puzzled...My concern is on inbound traffic from Internet, not outbound traffic from LAN.
Say someone is trying to connect to anyconnect VPN hosted on VPN ASA, the Internet Router NAT/Port-forward the Public IP/443 to the 10.10.2.1/443. When internet router tries to resolve the MAC address of the 10.10.2.1 in order to forward the traffic, will Edge ASA outside interface reply the ARP request because of the arp proxy and "steal" the traffic causing connectivity failure?
10-10-2020 03:05 AM - edited 10-10-2020 03:09 AM
Say someone is trying to connect to anyconnect VPN hosted on VPN ASA, the Internet Router NAT/Port-forward the Public IP/443 to the 10.10.2.1/443.
ok user-x is connected/working from home and connect to anyconnect module. now user-x is connected to VPN-ASA Firewall. let say user-x type in this in anyconnect https://123.123.123.123:443 it request come to Internet Router. as NAT/Port-forwarding is configured the router will sent the traffic to nat-inside host (this will be your VPN-ASA). now if everthing is configured accordingly user-x anyconnect module is connected and working.
When internet router tries to resolve the MAC address of the 10.10.2.1 in order to forward the traffic, will Edge ASA outside interface reply the ARP request because of the arp proxy and "steal" the traffic causing connectivity failure?
1. If VPN-ASA outside default-gw is 10.10.2.6 it will forward the traffic which is not know in its routing table up-link.
2. if you configured a split tunnel and you have nat for this VPN-ASA-Fw object network Anyconnect-pool nat(out,out) dynamci interface.
3. when Router send packet to down stream ASA-VPN 10.10.2.1 as it has the arp cache entry in its table. and same apply to ASA-VPN. you can confirm this by using a command on Router internet to check the arp table its builidng.
have a read on this document https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html
Consider an Ethernet segment which has devices attached in the 10.0.1.x/24 network. The ASA's inside interface is addressed at 10.0.1.1. Whenever an ARP request for 10.0.1.47 is initiated from 10.0.1.48, the ASA replies with an ARP reply that contains its own interface hardware address. Further investigation reveals that the ASA replies to requests for multiple IP addresses in the subnet.
in your case 10.10.2.1 and 10.10.2.5 are not talking to each other. where as they need to talk to internet router 10.10.2.6. therefore this does not apply on your scenario.
10-10-2020 05:23 AM
Thanks, would you mind electorate further on your “2. if you configured a split tunnel and you have nat for this VPN-ASA-Fw object network Anyconnect-pool nat(out,out) dynamci interface.”?
10-10-2020 09:39 AM
here what i meant was how you have configured the anyconnect configuration. if its in split tunnel fashion here is the link http://www.techspacekh.com/configuring-cisco-anyconnect-remote-access-vpn-on-asa-9-x/
10-10-2020 09:47 AM
I know split tunneling but not sure how it is related to this post...
10-10-2020 09:51 AM
Good to know it. just tryiing to help you. nothing else.
10-10-2020 11:34 AM
Got u ...Thanks!
10-09-2020 03:54 PM
Anyone could help?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide