Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1954
Views
0
Helpful
9
Replies

Two ASA in Parallel to each other while proxy arp is enabled?

Go to solution
m1xed0s
Spotlight
Spotlight

‎10-07-2020 06:34 AM - edited ‎10-07-2020 12:27 PM

I am setting up a small network, like below. Two ASA firewalls are setup in Parallel to each other, one provides Anyconnect VPN and the other is the edge firewall. Both ASA outside and inside ports have proxy arp enabled and I can not disable them due to the NAT requirements. So will the two ASA fighting each other to response to the ARP for 10.10.2.0/29 causing connectivity issues for Internet Inbound traffic? 

Drawing1.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to m1xed0s

‎10-10-2020 03:05 AM - edited ‎10-10-2020 03:09 AM

Say someone is trying to connect to anyconnect VPN hosted on VPN ASA, the Internet Router NAT/Port-forward the Public IP/443 to the 10.10.2.1/443.

 

ok user-x is connected/working from home and connect to anyconnect module. now user-x is connected to VPN-ASA Firewall. let say user-x type in this in anyconnect https://123.123.123.123:443 it request come to Internet Router. as NAT/Port-forwarding is configured the router will sent the traffic to nat-inside host (this will be your VPN-ASA). now if everthing is configured accordingly user-x anyconnect module is connected and working.

 

 

When internet router tries to resolve the MAC address of the 10.10.2.1 in order to forward the traffic, will Edge ASA outside interface reply the ARP request because of the arp proxy and "steal" the traffic causing connectivity failure?

 

1. If VPN-ASA outside default-gw is 10.10.2.6 it will forward the traffic which is not know in its routing table up-link.

2. if you configured a split tunnel and you have nat for this VPN-ASA-Fw  object network Anyconnect-pool nat(out,out) dynamci interface.
3. when Router send packet to down stream ASA-VPN 10.10.2.1 as it has the arp cache entry in its table. and same apply to ASA-VPN.  you can confirm this by using a command on Router internet to check the arp table its builidng.

 

 

 

 

have a read on this document https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

 

Consider an Ethernet segment which has devices attached in the 10.0.1.x/24 network. The ASA's inside interface is addressed at 10.0.1.1. Whenever an ARP request for 10.0.1.47 is initiated from 10.0.1.48, the ASA replies with an ARP reply that contains its own interface hardware address. Further investigation reveals that the ASA replies to requests for multiple IP addresses in the subnet.

 

in your case 10.10.2.1 and 10.10.2.5 are not talking to each other. where as they need to talk to internet router 10.10.2.6. therefore this does not apply on your scenario.

please do not forget to rate.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Sheraz.Salim
VIP
VIP

‎10-07-2020 11:36 AM

if client-x is on inside network and its default gateway is at Edge ASA. Going out to outside (i assume Nat is configured on ASA-Edge) when the source address inside going to outside Edge ASA will check the arp table against the ip  address of its nex hop and forward packet to Internet router.

now if you have a static nat configured on the Edge ASA and since its not using public ip address in that case you doing all the nat statement on Internet router (or doing any port-forwarding).

 

you have to be more specific what you trying to do or explain in more detail with packet flow walk.

please do not forget to rate.
0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Sheraz.Salim

‎10-07-2020 12:26 PM

I should be more clear on what I am puzzled...My concern is on inbound traffic from Internet, not outbound traffic from LAN.

 

Say someone is trying to connect to anyconnect VPN hosted on VPN ASA, the Internet Router NAT/Port-forward the Public IP/443 to the 10.10.2.1/443. When internet router tries to resolve the MAC address of the 10.10.2.1 in order to forward the traffic, will Edge ASA outside interface reply the ARP request because of the arp proxy and "steal" the traffic causing connectivity failure?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to m1xed0s

‎10-10-2020 03:05 AM - edited ‎10-10-2020 03:09 AM

Say someone is trying to connect to anyconnect VPN hosted on VPN ASA, the Internet Router NAT/Port-forward the Public IP/443 to the 10.10.2.1/443.

 

ok user-x is connected/working from home and connect to anyconnect module. now user-x is connected to VPN-ASA Firewall. let say user-x type in this in anyconnect https://123.123.123.123:443 it request come to Internet Router. as NAT/Port-forwarding is configured the router will sent the traffic to nat-inside host (this will be your VPN-ASA). now if everthing is configured accordingly user-x anyconnect module is connected and working.

 

 

When internet router tries to resolve the MAC address of the 10.10.2.1 in order to forward the traffic, will Edge ASA outside interface reply the ARP request because of the arp proxy and "steal" the traffic causing connectivity failure?

 

1. If VPN-ASA outside default-gw is 10.10.2.6 it will forward the traffic which is not know in its routing table up-link.

2. if you configured a split tunnel and you have nat for this VPN-ASA-Fw  object network Anyconnect-pool nat(out,out) dynamci interface.
3. when Router send packet to down stream ASA-VPN 10.10.2.1 as it has the arp cache entry in its table. and same apply to ASA-VPN.  you can confirm this by using a command on Router internet to check the arp table its builidng.

 

 

 

 

have a read on this document https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

 

Consider an Ethernet segment which has devices attached in the 10.0.1.x/24 network. The ASA's inside interface is addressed at 10.0.1.1. Whenever an ARP request for 10.0.1.47 is initiated from 10.0.1.48, the ASA replies with an ARP reply that contains its own interface hardware address. Further investigation reveals that the ASA replies to requests for multiple IP addresses in the subnet.

 

in your case 10.10.2.1 and 10.10.2.5 are not talking to each other. where as they need to talk to internet router 10.10.2.6. therefore this does not apply on your scenario.

please do not forget to rate.
0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Sheraz.Salim

‎10-10-2020 05:23 AM

Thanks, would you mind electorate further on your “2. if you configured a split tunnel and you have nat for this VPN-ASA-Fw  object network Anyconnect-pool nat(out,out) dynamci interface.”?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to m1xed0s

‎10-10-2020 09:39 AM

here what i meant was how you have configured the anyconnect configuration. if its in split tunnel fashion here is the link http://www.techspacekh.com/configuring-cisco-anyconnect-remote-access-vpn-on-asa-9-x/

please do not forget to rate.
0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Sheraz.Salim

‎10-10-2020 09:47 AM

I know split tunneling but not sure how it is related to this post... 

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to m1xed0s

‎10-10-2020 09:51 AM

Good to know it. just tryiing to help you. nothing else.

please do not forget to rate.
0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight
In response to Sheraz.Salim

‎10-10-2020 11:34 AM

Got u ...Thanks!

0 Helpful

Go to solution
m1xed0s
Spotlight
Spotlight

‎10-09-2020 03:54 PM

Anyone could help?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card