Showing results for 
Search instead for 
Did you mean: 

Cisco ASA proxy-arp limiting to NAT statements only

Level 1
Level 1

I have a very simple setup but it seems puzzling to figure how to restrict ASA to proxy-arp only for NAT entries and not for the entire outside interface subnet.  Currently in the sample config I have below where I am testing ASA5512 with 9.15x code, other devices on the subnet cannot access the outside world as ASA keeps sending proxy-arp even if it has an arp entry for these IP Address to the upstream router.  If I do "sysopt noproxyarp outside" ASA does not proxy arp for even the NAT statement I have for  Disabling proxy-arp for the NAT entry also breaks this as ASA does not tell upstream router that it owns the



I want it basically only proxy-arp for the and not for the entire subnet.



Here is the relevant configuration I am testing.


interface GigabitEthernet0/1

description WAN link

nameif outside

security-level 0

ip address



object network vpn-clients


object network outside_ip


nat (outside,outside) source dynamic vpn-clients outside_ip



If this is not possible I would like to know.  It seems like there maybe some trick in the documentation I am missing.




3 Replies 3

Level 1
Level 1



ASA would normally proxy-arp for IP addresses that are mentioned in the NAT statements. 


The NAT you mentioned should only make ASA proxy-arp for 


Do you have an identity nat where the complete OUTSIDE subnet is mentioned, for example:


nat (outside,outside) source static <outside_subnet> <outside_subnet> destination static <some_destination> <some_destination>

If yes, then you can use no-proxy-arp keyword with this identity NAT.


This is explained here:





I don't think this solves the problem I mentioned. The "no-proxy-arp" statement in "sysopt" is global. 

Your response doesn't really work.


Even if you do "no-proxy-arp" in a NAT statement it really means only packets that match that NAT statements will not be supported by proxy-arp.  I think it assumes it NAT is being performed not using your IP address of the interface, you are expect to route back the packets (layer-3) to the ASA.


If you do "sysopt noproxyarp $interface" then the NAT statement saying don't proxy-arp is sort of useless. What I am looking for requires proxy-arp only for the NAT statement and not for the entire subnet of $interface. As far as I can see this does not seem possible.



Hi Vijay,


I don’t think you understood what me or either document was talking about. 


ASA won’t proxy arp for the entire subnet for the entire subnet by default. There is normally a NAT statement that makes ASA to proxy arp for an IP or a subnet. I would still suggest to check your NAT statement/xlate for OUTSIDE subnet.