Background
Sometimes when implementing Firewall solutions on the Internet Edge line of defense, different boxes can sit outside the segment of the ASA firewall. This is a typical solution when an enterprise has a public segment of several public IP addresses. Examples of such boxes can be an Antispam System, DNS, and Load Balancer, which communicate with other systems. For example in e-commerce, it is rather obvious that being in the same Ethernet segment, demands L2/L3 ARP clear communication. Talking about the Layer 2 segment, we need to talk about ARP protocol-related issues which I have described in my last post while describing ARP behavior.
ARP Proxy problem definition
I have seen a few times that after a certain time of coexistence, one of the systems which resides on the public segment stops responding. After spending a while troubleshooting this issue it could be explained by the ASA generating ARP proxy on the outside interface with the same segment. The reason for this is that by default, ASA uses the ARP Proxy mechanism to support NAT translation rules, thanks to Proxy ARP ASA can show the NATed addresses that are different from one on the interface. In other words, ASA responds to ARP requests for addresses using NAT. There is a specific case in which ASA will use ARP Replies for each request. This is caused by the following rule example:
Nat (inside,outside) source static ANY ANY destination static AC AC
This rule if ANY statements are present, causes proxy arp replies for all types of destinations (speaking of public perspective). To get rid of this issue, you have 2 options: use no-proxy-arp to disable proxying,
Nat (inside,outside) source static ANY ANY destination static AC AC no-proxy-arp
Or restrict ANY object to specific networks inside your ASA.
Leave a Reply