cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2361
Views
0
Helpful
3
Replies

Windows 7 & Cisco ASA 5505

callmedub
Level 1
Level 1

HELP!!!

Our client recently purchased their first Windows 7 machine and it is not able to communicate with their Windows Server 2003 SBS Domain Controller. After much troubleshooting and investigating, I came across multiple articles that recommended disabling "Proxy ARP" on the inside interface. This actually corrected the issues, but we then got calls from their remote users saying that they were not able to access resources over the VPN. I tested this myself and confirmed. Might there be something else that would need to be adjusted after disabling the "Proxy ARP" setting?

Note: DHCP for VPN is relayed through to the Windows server, so all users are on the same subnet

Note: I am only familiar with the Cisco GUI at this point so please bear with me when it comes to running anything via command line

Thank you,

Josh

1 Accepted Solution

Accepted Solutions

Yes, if you use a different subnet for vpn client. You can disable "Proxy ARP" on the inside interface.

When the vpn client was in the same subnet as inside network, the inside host will think vpn client is local and then will send ARP to learn its MAC address. If ASA does not do Proxy ARP, the inside host won't learn the MAC and the packet to vpn client won't be sent to ASA. That's the reason why disabling "proxy arp" broke the connection of VPN client to the internal host.

You can still use DHCP server to assign IP to VPN client, but you need a configure the related group policy to add "dhcp-network-scope ". In this way, DHCP server will know from which pool it should assign IP to the client.

View solution in original post

3 Replies 3

Yudong Wu
Level 7
Level 7

What's your vpn client IP pool? If they are on the same subnet as your inside network, you probably see this issue.

What you should do is to use a different IP pool for your VPN client.

Thanks for the response.

As of right now, the Cisco ASA is forwarding DHCP requests to the server and both internal and VPN users are grabbing addresses from the same pool. Prior to this setup, the ASA was responsible for handing out DHCP addresses to VPN users, but again it was on the same subnet. Are you saying that we should have the ASA handle DHCP over VPN, but with a different subnet? If so, can we also keep "Proxy ARP" disabled?

Thanks again,

Josh

Yes, if you use a different subnet for vpn client. You can disable "Proxy ARP" on the inside interface.

When the vpn client was in the same subnet as inside network, the inside host will think vpn client is local and then will send ARP to learn its MAC address. If ASA does not do Proxy ARP, the inside host won't learn the MAC and the packet to vpn client won't be sent to ASA. That's the reason why disabling "proxy arp" broke the connection of VPN client to the internal host.

You can still use DHCP server to assign IP to VPN client, but you need a configure the related group policy to add "dhcp-network-scope ". In this way, DHCP server will know from which pool it should assign IP to the client.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: