Thanks for the reply. This is an FTD device managed by FMC. I did some searching, and adding that command(even if I could change it from CLI) would turn ON proxy arp, not disable it. If that is the way to go, can I get some more information about how to implement it?

In addition, what would be the result of adding a static NAT rule outside outside with the Anyconnect as the original source and destination interface IP as the translated source?

Thanks for the updated reply. Through some more research, I found that it is "sysopt", and that in FTD, I need to create a flexconfig object to apply it. I'll update this post when I find out if it works, but it looks like it should. I need a maintenance window to make the changes when I can work with the ISP. Possibly tomorrow.

Worked like a charm! Thanks!

can you please give me the solution for you situtation? i have a same issue.

The answer is in this thread. use "sysopt noproxyarp outside". If you're using firepower, you need to do it with a flex config. 

Can you please give me the config I must do? I have firepower but don’t know about flex config 

The following is courtesy of ChatGPT, so take it with a grain of salt. I moved onto a new job that uses Palo Alto instead, so I don't currently have a setup to verify this information with. Be very careful of flex configs. 

Here are step-by-step instructions for adding the command "sysopt noproxyarp outside" to a Cisco Firepower firewall, along with an explanation of why a FlexConfig is needed.

1. Log in to the Cisco Firepower Management Center (FMC) web interface using an administrator account.

2. Navigate to the "Devices" tab in the FMC interface.

3. Select the desired Firepower firewall device from the list of managed devices.

4. In the device's configuration page, click on the "FlexConfig" tab.

5. Click on the "Add FlexConfig Object" button to create a new FlexConfig object.

6. Provide a name for the FlexConfig object, such as "NoProxyARP Config."

7. In the "Configuration Commands" section, enter the following command:

1. Optionally, you can add a description for the FlexConfig object to provide additional context.

2. Click "Save" to create the FlexConfig object.

3. Now, go back to the device's configuration page and click on the "Access Policy" tab.

4. Edit the access control policy that applies to the Firepower firewall where you want to add the command.

5. In the policy editor, select the rule or rules where you want to apply the "sysopt noproxyarp outside" command.

6. In the "Action" section of the rule editor, click on the "FlexConfig" dropdown menu and select the FlexConfig object you created earlier ("NoProxyARP Config").

7. Save the policy changes.

Now, let's discuss the reasoning behind using a FlexConfig for this configuration change:

FlexConfig provides a mechanism to apply device-specific or vendor-specific configurations that are not available through the standard FMC interface. In this case, the command "sysopt noproxyarp outside" is a Cisco ASA-specific command that is not directly configurable through the FMC's standard options.

By utilizing FlexConfig, you can insert the command into the device's running configuration without having to resort to manual command-line interface (CLI) access. This approach ensures that the configuration change is managed and audited through the FMC.

Using a centralized management system like the FMC and leveraging the FlexConfig capability allows administrators to maintain consistency and control over the configurations of multiple Firepower firewall devices, ensuring adherence to organizational policies and reducing the risk of manual errors.

Remember to review and validate your changes before deploying them to a production environment.

Thanks for your answer. So tha one way and manged one is to config flexconfig. But if you dont care about managment you can just apply the cli command "sysops noproxyarp outside". Am i corrent?

I'm not quite sure I understand your question. If you're using firepower, then flexconfig is the only way to apply the command. You can't use the cli for configuration. If you're using an ASA, then you CAN just apply the cli command. 

ok understood. You completly answered my question. thanks!