10-07-2010 07:40 AM - edited 03-06-2019 01:23 PM
HELP!!!
Our client recently purchased their first Windows 7 machine and it is not able to communicate with their Windows Server 2003 SBS Domain Controller. After much troubleshooting and investigating, I came across multiple articles that recommended disabling "Proxy ARP" on the inside interface. This actually corrected the issues, but we then got calls from their remote users saying that they were not able to access resources over the VPN. I tested this myself and confirmed. Might there be something else that would need to be adjusted after disabling the "Proxy ARP" setting?
Note: DHCP for VPN is relayed through to the Windows server, so all users are on the same subnet
Note: I am only familiar with the Cisco GUI at this point so please bear with me when it comes to running anything via command line
Thank you,
Josh
Solved! Go to Solution.
10-07-2010 11:48 AM
Yes, if you use a different subnet for vpn client. You can disable "Proxy ARP" on the inside interface.
When the vpn client was in the same subnet as inside network, the inside host will think vpn client is local and then will send ARP to learn its MAC address. If ASA does not do Proxy ARP, the inside host won't learn the MAC and the packet to vpn client won't be sent to ASA. That's the reason why disabling "proxy arp" broke the connection of VPN client to the internal host.
You can still use DHCP server to assign IP to VPN client, but you need a configure the related group policy to add "dhcp-network-scope
10-07-2010 09:56 AM
What's your vpn client IP pool? If they are on the same subnet as your inside network, you probably see this issue.
What you should do is to use a different IP pool for your VPN client.
10-07-2010 11:11 AM
Thanks for the response.
As of right now, the Cisco ASA is forwarding DHCP requests to the server and both internal and VPN users are grabbing addresses from the same pool. Prior to this setup, the ASA was responsible for handing out DHCP addresses to VPN users, but again it was on the same subnet. Are you saying that we should have the ASA handle DHCP over VPN, but with a different subnet? If so, can we also keep "Proxy ARP" disabled?
Thanks again,
Josh
10-07-2010 11:48 AM
Yes, if you use a different subnet for vpn client. You can disable "Proxy ARP" on the inside interface.
When the vpn client was in the same subnet as inside network, the inside host will think vpn client is local and then will send ARP to learn its MAC address. If ASA does not do Proxy ARP, the inside host won't learn the MAC and the packet to vpn client won't be sent to ASA. That's the reason why disabling "proxy arp" broke the connection of VPN client to the internal host.
You can still use DHCP server to assign IP to VPN client, but you need a configure the related group policy to add "dhcp-network-scope
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide