ASA , ipsec with no proxy arp on the NAT

khaled alodat · ‎04-04-2017

I hope that someone can clarify this to me.

a site to site was configured properly without any problem . A NAT was required to change the source address, the destination is unique to the site(NO NAT) .

the vpn was up but there was no traffic going or coming . i've managed to solve the problem by disabling proxy arp for that NAT statement.

but to be honest i dont understand what the ASA is trying to ARP here and why disabling the proxy ARp solve the problem.

i hope my question was clear .

Thanks,

KO

pschulz · ‎05-30-2023

See following document at

Cisco ASA Firewall NAT Reference

Typically on site-to-site VPNs, the NAT statement will include the entire subnet on each side. This can cause problems when ARP requests are issued for hosts on the same subnet as the source host - the ASA will respond as well, which may cause confusion.

As per the text of the above doc:

"Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving proxy ARP enabled can cause problems for hosts on the network directly connected to the mapped interface. In this case, when a host on the mapped network wants to communicate with another host on the same network, then the address in the ARP request matches the NAT rule (which matches “any” address). The ASA will then proxy ARP for the address, even though the packet is not actually destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although the NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the “source” address). If the ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent to the ASA."