03-02-2018 08:50 AM - edited 03-12-2019 05:04 AM
I have a very simple setup but it seems puzzling to figure how to restrict ASA to proxy-arp only for NAT entries and not for the entire outside interface subnet. Currently in the sample config I have below where I am testing ASA5512 with 9.15x code, other devices on the subnet 172.19.128.0/24 cannot access the outside world as ASA keeps sending proxy-arp even if it has an arp entry for these IP Address to the upstream router. If I do "sysopt noproxyarp outside" ASA does not proxy arp for even the NAT statement I have for 172.19.128.61. Disabling proxy-arp for the NAT entry also breaks this as ASA does not tell upstream router that it owns the 172.19.128.61
I want it basically only proxy-arp for the 172.19.128.61 and not for the entire subnet.
Here is the relevant configuration I am testing.
interface GigabitEthernet0/1
description WAN link
nameif outside
security-level 0
ip address 172.19.128.60 255.255.255.0
!
object network vpn-clients
subnet 192.168.10.0 255.255.255.0
object network outside_ip
host 172.19.128.61
nat (outside,outside) source dynamic vpn-clients outside_ip
If this is not possible I would like to know. It seems like there maybe some trick in the documentation I am missing.
Thanks
Vijay
03-04-2018 03:14 PM
My2Cents,
ASA would normally proxy-arp for IP addresses that are mentioned in the NAT statements.
The NAT you mentioned should only make ASA proxy-arp for 172.19.128.61.
Do you have an identity nat where the complete OUTSIDE subnet is mentioned, for example:
nat (outside,outside) source static <outside_subnet> <outside_subnet> destination static <some_destination> <some_destination>
If yes, then you can use no-proxy-arp keyword with this identity NAT.
This is explained here:
./Adesh
03-11-2018 06:48 AM
I don't think this solves the problem I mentioned. The "no-proxy-arp" statement in "sysopt" is global.
Your response doesn't really work.
Even if you do "no-proxy-arp" in a NAT statement it really means only packets that match that NAT statements will not be supported by proxy-arp. I think it assumes it NAT is being performed not using your IP address of the interface, you are expect to route back the packets (layer-3) to the ASA.
If you do "sysopt noproxyarp $interface" then the NAT statement saying don't proxy-arp is sort of useless. What I am looking for requires proxy-arp only for the NAT statement and not for the entire subnet of $interface. As far as I can see this does not seem possible.
Vijay
03-11-2018 01:45 PM
Hi Vijay,
I don’t think you understood what me or either document was talking about.
ASA won’t proxy arp for the entire subnet for the entire subnet by default. There is normally a NAT statement that makes ASA to proxy arp for an IP or a subnet. I would still suggest to check your NAT statement/xlate for OUTSIDE subnet.
./Adesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide