cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3611
Views
0
Helpful
3
Replies

Cisco ASA proxy-arp limiting to NAT statements only

vijaycisco
Level 1
Level 1

I have a very simple setup but it seems puzzling to figure how to restrict ASA to proxy-arp only for NAT entries and not for the entire outside interface subnet.  Currently in the sample config I have below where I am testing ASA5512 with 9.15x code, other devices on the subnet 172.19.128.0/24 cannot access the outside world as ASA keeps sending proxy-arp even if it has an arp entry for these IP Address to the upstream router.  If I do "sysopt noproxyarp outside" ASA does not proxy arp for even the NAT statement I have for 172.19.128.61.  Disabling proxy-arp for the NAT entry also breaks this as ASA does not tell upstream router that it owns the 172.19.128.61

 

 

I want it basically only proxy-arp for the 172.19.128.61 and not for the entire subnet.

 

 

Here is the relevant configuration I am testing.

 

interface GigabitEthernet0/1

description WAN link

nameif outside

security-level 0

ip address 172.19.128.60 255.255.255.0

 

!

object network vpn-clients

  subnet 192.168.10.0 255.255.255.0

object network outside_ip

 host 172.19.128.61

nat (outside,outside) source dynamic vpn-clients outside_ip

 

 

If this is not possible I would like to know.  It seems like there maybe some trick in the documentation I am missing.

 

Thanks

Vijay

3 Replies 3

agairola
Level 1
Level 1

My2Cents,

 

ASA would normally proxy-arp for IP addresses that are mentioned in the NAT statements. 

 

The NAT you mentioned should only make ASA proxy-arp for 172.19.128.61. 

 

Do you have an identity nat where the complete OUTSIDE subnet is mentioned, for example:

 

nat (outside,outside) source static <outside_subnet> <outside_subnet> destination static <some_destination> <some_destination>

If yes, then you can use no-proxy-arp keyword with this identity NAT.

 

This is explained here:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

 

./Adesh

 

 

I don't think this solves the problem I mentioned. The "no-proxy-arp" statement in "sysopt" is global. 

Your response doesn't really work.

 

Even if you do "no-proxy-arp" in a NAT statement it really means only packets that match that NAT statements will not be supported by proxy-arp.  I think it assumes it NAT is being performed not using your IP address of the interface, you are expect to route back the packets (layer-3) to the ASA.

 

If you do "sysopt noproxyarp $interface" then the NAT statement saying don't proxy-arp is sort of useless. What I am looking for requires proxy-arp only for the NAT statement and not for the entire subnet of $interface. As far as I can see this does not seem possible.

 

Vijay

Hi Vijay,

 

I don’t think you understood what me or either document was talking about. 

 

ASA won’t proxy arp for the entire subnet for the entire subnet by default. There is normally a NAT statement that makes ASA to proxy arp for an IP or a subnet. I would still suggest to check your NAT statement/xlate for OUTSIDE subnet.

 

./Adesh