Comments on: ASA and Proxy ARP http://aconaway.com/2009/09/11/asa-and-proxy-arp/ It's possible that someone somewhere needs to see this. Fri, 10 Feb 2012 13:52:17 -0700 hourly 1 http://wordpress.org/?v=3.1.4 By: Joe Schulte http://aconaway.com/2009/09/11/asa-and-proxy-arp/comment-page-1/#comment-82296 Joe Schulte Tue, 10 Jan 2012 14:02:56 +0000 http://aconaway.com/?p=362#comment-82296 Interestingly enough I just did an upgrade from 8.2 to 8.4 and got hosed by this, but in the opposite way. Because it's a small site, the two main purposes of ASA was internet firewall and routing between two VLANs. Keeping in mind that the only uplink through the ASA was at the core switch (no routing on it - don't ask me, just part of the nightmare I walked into), I somehow had stuff on Subnet A showing the ASA's MAC as the MAC for about half the equipment on that subnet. I was able to ping those addresses of course, because it was actually the ASA responding, but nothing else would communicate with those hosts correctly. Eventually the Google led me to a post on Proxy Arp and how to disable it. With no better ideas I just did it and hoped. Solved my problem though. I'm guessing the default went from proxy ARP being off to on at the big 8.3 switch. Thanks, Cisco! Interestingly enough I just did an upgrade from 8.2 to 8.4 and got hosed by this, but in the opposite way.

Because it’s a small site, the two main purposes of ASA was internet firewall and routing between two VLANs.

Keeping in mind that the only uplink through the ASA was at the core switch (no routing on it – don’t ask me, just part of the nightmare I walked into), I somehow had stuff on Subnet A showing the ASA’s MAC as the MAC for about half the equipment on that subnet. I was able to ping those addresses of course, because it was actually the ASA responding, but nothing else would communicate with those hosts correctly.

Eventually the Google led me to a post on Proxy Arp and how to disable it. With no better ideas I just did it and hoped.

Solved my problem though.

I’m guessing the default went from proxy ARP being off to on at the big 8.3 switch. Thanks, Cisco!

]]> By: Justin Ellison http://aconaway.com/2009/09/11/asa-and-proxy-arp/comment-page-1/#comment-31175 Justin Ellison Wed, 15 Sep 2010 09:58:11 +0000 http://aconaway.com/?p=362#comment-31175 @Pulsarav - I think Cisco bug CSCti38867 is what you're looking for. I believe I just tripped over that myself. @Pulsarav – I think Cisco bug CSCti38867 is what you’re looking for. I believe I just tripped over that myself.

]]> By: Aaron Conaway http://aconaway.com/2009/09/11/asa-and-proxy-arp/comment-page-1/#comment-23283 Aaron Conaway Thu, 27 May 2010 01:52:52 +0000 http://aconaway.com/?p=362#comment-23283 According to what you submitted and what I found, proxy ARP is indeed enabled by default (no sysopt proxyarp X), but it surely wasn't on our 5540. I can't find any other documentation that says it should be that way, though. I've got no answer. :( According to what you submitted and what I found, proxy ARP is indeed enabled by default (no sysopt proxyarp X), but it surely wasn’t on our 5540. I can’t find any other documentation that says it should be that way, though. I’ve got no answer. :(

]]> By: Pulsarav http://aconaway.com/2009/09/11/asa-and-proxy-arp/comment-page-1/#comment-23282 Pulsarav Wed, 26 May 2010 22:43:51 +0000 http://aconaway.com/?p=362#comment-23282 I ran across this post while researching the same issue as you describe, however in this case proxy arp is turned on. The ASA is running the latest 8.3 code, so I suspect a bug. On another note, the Cisco web site indicates that proxy arp is *on* by default on the ASA's. Do you have a Cisco source that says it isn't? ~~~~~~~~ To disable proxy ARP for NAT global addresses or VPN client addresses on an interface, use the sysopt noproxyarp command in global configuration mode. To reenable proxy ARP, use the no form of this command. sysopt noproxyarp interface_name no sysopt noproxyarp interface_name Syntax Description interface_name The interface name for which you want to disable proxy ARP. Defaults Proxy ARP is enabled by default. ~~~~~~~~~~ Thanks, Pulsarav I ran across this post while researching the same issue as you describe, however in this case proxy arp is turned on. The ASA is running the latest 8.3 code, so I suspect a bug.

On another note, the Cisco web site indicates that proxy arp is *on* by default on the ASA’s. Do you have a Cisco source that says it isn’t?

~~~~~~~~
To disable proxy ARP for NAT global addresses or VPN client addresses on an interface, use the sysopt noproxyarp command in global configuration mode. To reenable proxy ARP, use the no form of this command.

sysopt noproxyarp interface_name

no sysopt noproxyarp interface_name

Syntax Description
interface_name
The interface name for which you want to disable proxy ARP.

Defaults
Proxy ARP is enabled by default.
~~~~~~~~~~

Thanks,

Pulsarav

]]> By: Aaron Conaway http://aconaway.com/2009/09/11/asa-and-proxy-arp/comment-page-1/#comment-20307 Aaron Conaway Fri, 18 Sep 2009 13:05:46 +0000 http://aconaway.com/?p=362#comment-20307 Hi, NN11: This particular instance was a 5540 running 8.2(1). The NAT was a 1-to-1 host NAT, so all traffic to/from the billing server is NATted. I'd rather not share too much information on the topology, but it's quite simple. The billing network is on an interface with security level of 0. The production network is off an interface with security level of 50. In this case, the productions servers were another layer-3 hop away, but the same would hold true if it were directly attached to the network with the production interface. So, simplistically, you have <pre> <- Static NAT -> Billing -- 5540 -- Production</pre> I hope that clears it up for you. If you have questions on using VLANs on the 7600, I can see what I can drag up for you. Hi, NN11:

This particular instance was a 5540 running 8.2(1). The NAT was a 1-to-1 host NAT, so all traffic to/from the billing server is NATted.

I’d rather not share too much information on the topology, but it’s quite simple. The billing network is on an interface with security level of 0. The production network is off an interface with security level of 50. In this case, the productions servers were another layer-3 hop away, but the same would hold true if it were directly attached to the network with the production interface. So, simplistically, you have

      < - Static NAT ->
Billing -- 5540 -- Production

I hope that clears it up for you. If you have questions on using VLANs on the 7600, I can see what I can drag up for you.

]]> By: netninja11 http://aconaway.com/2009/09/11/asa-and-proxy-arp/comment-page-1/#comment-20295 netninja11 Fri, 18 Sep 2009 03:03:01 +0000 http://aconaway.com/?p=362#comment-20295 Hi, Good to know about the ARP Reply issue with the ASA. What ASA model and code is running on the appliance? So what type of Static NAT policy did you have on the ASA? Sounds like a Static NAT that covers an entire subnet (1-1, host-host). I do not seem to get the network topology from your description above. Can you email me one? I would like to see the VLAN layout to understand the traffic flow from the production server to/fro accounting server (no ip addresses please...:-)). Thanks, netninja11 Hi,
Good to know about the ARP Reply issue with the ASA. What ASA model and code is running on the appliance?

So what type of Static NAT policy did you have on the ASA? Sounds like a Static NAT that covers an entire subnet (1-1, host-host).
I do not seem to get the network topology from your description above. Can you email me one? I would like to see the VLAN layout to understand the traffic flow from the production server to/fro accounting server (no ip addresses please…:-)).

Thanks,
netninja11

]]>