understanding forwarding clients from one network to another.

rikdrt1 · ‎09-30-2024

Sorry for the vague question but not sure if this falls under switching for forwarding but i have two network seperated by an ASA firewall for security. there is a /30 network that interconnects the /24 inside a lab/demo area from the corporate network.

when i login to our ASA or our core - i see the uplink interface but thats it. I know there is a way but i would like to have their hosts be visible when i do a SH ARP command on our firewall but by default that doesnt happen. just need a reminder on what is preventing that and how to enable it. thanks.

MHM Cisco World · ‎09-30-2024

so can you more elaborate what is your Q

MHM

Maher Abdelshkour · ‎09-30-2024

Hello,

From the diagram and your description, it looks like the issue revolves around ARP visibility across different network segments separated by the ASA firewall.

Here are some suggestions:
1.Routing Configuration:

Make sure that the ASA is routing traffic between the /30 (the uplink) and the /24 network (inside the lab).
Ensure that the ASA has a static route, or a dynamic routing protocol configured to route traffic to the lab network via the correct inside interface.
route inside 10.10.159.0 255.255.255.0 [next-hop IP]

2.Proxy ARP:

On Cisco ASA, you can enable Proxy ARP. Proxy ARP allows the ASA to respond to ARP requests for a remote network by using the firewall’s own IP address, essentially making the remote devices visible through ARP.
Ensure Proxy ARP is enabled for the necessary interface:

sysopt noproxyarp inside
This ensures that ARP requests from the core 9500 will be forwarded to the firewall, allowing visibility of the lab network devices.

3.ARP Inspection:

If you're running dynamic ARP inspection (DAI) on the switch (like on the Cisco 9500), it may be blocking ARP packets from traversing the network. You should check if DAI is enabled and ensure that ARP inspection is configured correctly for trusted interfaces.

ip arp inspection trust

4.NAT Configuration:

If there’s a NAT rule in place on the ASA, it could be interfering with ARP propagation. Ensure that you have proper NAT rules if required for traffic between your corporate network and the lab network.
You might want to configure NAT exemption between these networks.
Example:

nat (inside,outside) source static obj-inside obj-outside destination static obj-lab obj-lab no-proxy-arp

5.Check VLANs/Sub-Interfaces:

Verify that the VLANs or sub-interfaces are correctly configured on both the Cisco 9500 core and the ASA firewall. Each network segment (the uplink and the lab) should be associated with the correct security zones and interfaces.
Firewall Policies:

Ensure that appropriate firewall rules are allowing ARP traffic (Layer 2) between the two network segments. The firewall should allow traffic from the /24 network to pass through.
By implementing the above checks and configurations, the firewall should start propagating ARP entries from the lab network to your corporate network, making the devices visible when you run a show arp command on the ASA firewall.

rikdrt1 · ‎09-30-2024

whoa ! thats what i am looking for . i will try to see if i can enable proxy ARP or the ARP Inspection command. looks promising. thanks for the quick response.

Maher Abdelshkour · ‎09-30-2024

You're welcome!

If you’re still having trouble after checking these points, feel free to share more details, and I can help you further troubleshoot the issue.