It is easy, they want to view the natted ip source address (configured in a static nat statement) with the same mac of the interface connected with the router in order to not need a static route to point the traffic to the natted address from the Firewall.
There are 2 static nat mappings and both are working with the solution described.
NAT Entries:
ip nat inside source static 100.64.84.27 172.17.3.189 vrf OPENBANK_001_01010073 match-in-vrf
ip nat inside source static 100.64.84.26 172.17.3.190 vrf OPENBANK_001_01010073 match-in-vrf

ARP entries:
arp vrf OPENBANK_001_01010073 172.17.3.189 a453.0e76.4f12 ARPA alias
arp vrf OPENBANK_001_01010073 172.17.3.190 a453.0e76.4f12 ARPA alias

Interface to FW configuration:
interface GigabitEthernet0/0/2
description BCRA connection to FW
ip vrf forwarding OPENBANK_001_01010073
ip address 172.17.3.130 255.255.255.192
no ip proxy-arp
ip nat outside
ip nat allow-static-host
negotiation auto



This is working, but I want to know if this is something recommended or at least supported config.

Hope this help to understand

Regards

Hello Pablo,

usually this is performed by proxy ARP.

 

And reversing the question : what source MAC address could the router use for a NATTED address? only that of its own outside interface.

 

And what is most important : why the customer is worried about static routes when here it is only a question of ARP ?

 

Explain to the customer that no static route would be needed even if the router would use a different MAC address for the NATTED address ( but my guess is that it would need a specfic configuration to behave this way) it would just require an additional ARP entry on the Firewall.

 

Hope to help

Giuseppe

 

I though the same than you, that this is something performed by proxy-arp,

 

But the customer insist that they need to see the same mac addressed of the connected router subinterface for the natted IPs to work in FW side.

 

This is the reason I create this config which finally fits their requirement.

 

My question is about how this solution is really supported by Cisco.

 

Thanks and regards. 

Hello Pablo,

>> But the customer insist that they need to see the same mac addressed of the connected router subinterface for the natted IPs to work in FW side.

This should happen with a standard configuration with IP proxy ARP enabled.

The router will reply to ARP requests for outside global addresses in the same subnet as outside interface with its own MAC address on the outside interface.

 

And I would say it is the way it works also for other vendors like Checkpoint.

>> This is the reason I create this config which finally fits their requirement.

It looks like a complex solution for something that should behave this way as noted above with standard configuration and IP proxy ARP enabled.

 

Hope to help

Giuseppe

 

Hello

---

@Pablo Munoz wrote:

ip nat inside source static 100.64.84.27 172.17.3.189 vrf OPENBANK_001_01010073 match-in-vrf no-alias

ip nat inside source static 100.64.84.26 172.17.3.190 vrf OPENBANK_001_01010073 match-in-vrf no-alias

 

arp vrf OPENBANK_001_01010073 172.17.3.189 a453.0e76.4f12 ARPA  alias

arp vrf OPENBANK_001_01010073 172.17.3.190 a453.0e76.4f12 ARPA alias

 

interface GigabitEthernet0/0/2

ip nat allow-static-host

---

 

By default the alias is enabled but is hidden, as such it will create the arp for the natted interface, so what you could do is disable this alias creation as above.

 

As far as we tested, in the FW side, the customer does not started to see the mac addresses for the nat ip addresses until I configured "ip nat allow-static-hosts" in the router interface, so I assume this is something needed for the solution I'm trying to explain.