Proxy ARP – Cisco ASA and Anyconnect

Background

Sometimes when implementing Firewall solutions on Internet Edge line of defense, different boxes can sit outside the segment of the ASA firewall. This is a typical solution when an enterprise has public segment of several public IP addresses. Example of such boxes can be Antispam System, DNS, Load Balancer, which communicate with other systems. For example in e-commerce, it is rather obvious that being in the same Ethernet segment, demands L2/L3 ARP clear communication. Talking about Layer 2 segment, we need to talk about ARP protocol related issues which I have described in my last post while describing ARP behavior.

ARP Proxy problem definition

I have seen a few times that after certain time of coexistence, one of the systems which resides on the public segment stops responding. After spending a while troubleshooting this issue it could be explained by the ASA generating ARP proxy on the outside interface with the same segment. The reason for this is that by default, ASA uses ARP Proxy mechanism to support NAT translation rules, thanks to Proxy ARP ASA can show the NATed addresses that are different than one on the interface. In other words, ASA responds to ARP requests for addresses using NAT. There is specific case that ASA will use ARP Replies for each request. This is caused by following rule example:

Nat (inside,outside) source static ANY ANY destination static AC AC

This rule if ANY statements present, causes proxy arp replies for all types of destinations (speaking of public perspective). To get rid of this issue, you have 2 options: use no-proxy-arp to disable proxying,

Nat (inside,outside) source static ANY ANY destination static AC AC no-proxy-arp

Or restrict ANY object to specific networks inside your ASA.