Re: ASA , ipsec with no proxy arp on the NAT

khaled alodat · ‎04-04-2017

I hope that someone can clarify this to me.

a site to site was configured properly without any problem . A NAT was required to change the source address, the destination is unique to the site(NO NAT) .

the vpn was up but there was no traffic going or coming . i've managed to solve the problem by disabling proxy arp for that NAT statement.

but to be honest i dont understand what the ASA is trying to ARP here and why disabling the proxy ARp solve the problem.

i hope my question was clear .

Thanks,

KO

pschulz · ‎05-30-2023

See following document at

Cisco ASA Firewall NAT Reference

Typically on site-to-site VPNs, the NAT statement will include the entire subnet on each side. This can cause problems when ARP requests are issued for hosts on the same subnet as the source host - the ASA will respond as well, which may cause confusion.

As per the text of the above doc:

"Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving proxy ARP enabled can cause problems for hosts on the network directly connected to the mapped interface. In this case, when a host on the mapped network wants to communicate with another host on the same network, then the address in the ARP request matches the NAT rule (which matches “any” address). The ASA will then proxy ARP for the address, even though the packet is not actually destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although the NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the “source” address). If the ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent to the ASA."

lukasl1991 · ‎06-04-2025

"Note that this problem occurs even if you have a twice NAT rule; although the NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the “source” address" -> This part of the docs completely bricked my understanding of twice NAT rules. The basic form is:

nat ( real_ifc , mapped_ifc ) source static real_src mapped_src destination static mapped_dst real_dst [ no-proxy-arp ]

(simplified)

From my understanding, when no-proxy-arp is omitted, the ASA should (1) proxy-arp on real_ifc for all addresses from mapped_dst and (2) proxy-arp on mapped_ifc for all addresses from mapped_src. (The above rule is bidirectional because it does not contain the unidirectional keyword!)

(1) is for connections from real_ifc to mapped_ifc and (2) is for connections from mapped_ifc to real_ifc.

For (1) the ASA needs to proxy-arp for mapped_dst whilst for (2) one need to symmetrically change sources and destinations. So, there it needs to proxy-arp for mapped_src according to the above syntax.

How could now the following sentence be true: "the proxy ARP decision is made only on the source address"? I would suppose that the docs explain case (1) which is the natural way of reading the rule. I am convinced that it must be "the proxy ARP decision is made only on the destination address (mapped_dst)" instead.

And if you again symmetrically change sources and destinations, the proxy ARP decision must be made on mapped_src.

Am I completely wrong with my understanding of twice NAT or is this a bug in the docs?

Edit: And of course, for no-proxy-arp I would expect the ASA to proxy-arp for none of the both cases. (Where I am also not sure if this is actually the case.)