Blog

IP and Mobile Trends and Education

 

Proxy ARP – Cisco ASA and Anyconnect

Author:


26.11.2016

Background

Sometimes when implementing Firewall solutions on Internet Edge line of defense , different boxes can sit outside the segment of the ASA firewall. This is a typical solution when an enterprise has public segment of several public IP addresses. Example of such boxes can be Antispam System, DNS, Load Balancer, which communicate with other systems. For example in e-commerce, it is rather obvious that being in the same Ethernet segment, demands L2/L3 ARP clear communication. Talking about Layer 2 segment, we need to talk about ARP protocol related issues which I have described in my last post while describing ARP behavior.

ARP Proxy problem definition

I have seen a few times that after certain time of coexistence, one of the systems which resides on the public segment stops responding. After spending a while troubleshooting this issue it could be explained by the ASA generating ARP proxy on the outside interface with the same segment. The reason for this is that by default, ASA uses ARP Proxy mechanism to support NAT translation rules, thanks to Proxy ARP ASA can show the NATed addresses that are different than one on the interface. In other words, ASA responds to ARP requests for addresses using NAT. There is specific case that ASA will use ARP Replies for each request. This is caused by following rule example:

Nat (inside,outside) source static ANY ANY destination static AC AC

This rule if ANY statements present, causes proxy arp replies for all types of destinations (speaking of public perspective). To get rid of this issue, you have 2 options: use no-proxy-arp to disable proxying,

Nat (inside,outside) source static ANY ANY destination static AC AC no-proxy-arp

Or restrict ANY object to specific networks inside your ASA.

Author

Marcin Bialy

Marcin Biały is Network and Security Architect with over 12 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

code


 

Newsletter