Menu

Poland

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Sweden

Drottninggatan 86
111 36 Stockholm
+46 762 041 514
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

  • en
  • pl
  • se
  • Proxy ARP – Cisco ASA and Anyconnect

    Proxy ARP – Cisco ASA and Anyconnect

    Date: 26.11.2016

    Author:


    Background

    Sometimes when implementing Firewall solutions on the Internet Edge line of defense, different boxes can sit outside the segment of the ASA firewall. This is a typical solution when an enterprise has a public segment of several public IP addresses. Examples of such boxes can be an Antispam System, DNS, and Load Balancer, which communicate with other systems. For example in e-commerce, it is rather obvious that being in the same Ethernet segment, demands L2/L3 ARP clear communication. Talking about the Layer 2 segment, we need to talk about ARP protocol-related issues which I have described in my last post while describing ARP behavior.

    ARP Proxy problem definition

    I have seen a few times that after a certain time of coexistence, one of the systems which resides on the public segment stops responding. After spending a while troubleshooting this issue it could be explained by the ASA generating ARP proxy on the outside interface with the same segment. The reason for this is that by default, ASA uses the ARP Proxy mechanism to support NAT translation rules, thanks to Proxy ARP ASA can show the NATed addresses that are different from one on the interface. In other words, ASA responds to ARP requests for addresses using NAT. There is a specific case in which ASA will use ARP Replies for each request. This is caused by the following rule example:

    Nat (inside,outside) source static ANY ANY destination static AC AC

    This rule if ANY statements are present, causes proxy arp replies for all types of destinations (speaking of public perspective). To get rid of this issue, you have 2 options: use no-proxy-arp to disable proxying,

    Nat (inside,outside) source static ANY ANY destination static AC AC no-proxy-arp

    Or restrict ANY object to specific networks inside your ASA.

    Author

    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric