US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Proxy ARP – Cisco ASA and Anyconnect

    Proxy ARP – Cisco ASA and Anyconnect

    Date: 26.11.2016



    Sometimes when implementing Firewall solutions on Internet Edge line of defense, different boxes can sit outside the segment of the ASA firewall. This is a typical solution when an enterprise has public segment of several public IP addresses. Example of such boxes can be Antispam System, DNS, Load Balancer, which communicate with other systems. For example in e-commerce, it is rather obvious that being in the same Ethernet segment, demands L2/L3 ARP clear communication. Talking about Layer 2 segment, we need to talk about ARP protocol related issues which I have described in my last post while describing ARP behavior.

    ARP Proxy problem definition

    I have seen a few times that after certain time of coexistence, one of the systems which resides on the public segment stops responding. After spending a while troubleshooting this issue it could be explained by the ASA generating ARP proxy on the outside interface with the same segment. The reason for this is that by default, ASA uses ARP Proxy mechanism to support NAT translation rules, thanks to Proxy ARP ASA can show the NATed addresses that are different than one on the interface. In other words, ASA responds to ARP requests for addresses using NAT. There is specific case that ASA will use ARP Replies for each request. This is caused by following rule example:

    Nat (inside,outside) source static ANY ANY destination static AC AC

    This rule if ANY statements present, causes proxy arp replies for all types of destinations (speaking of public perspective). To get rid of this issue, you have 2 options: use no-proxy-arp to disable proxying,

    Nat (inside,outside) source static ANY ANY destination static AC AC no-proxy-arp

    Or restrict ANY object to specific networks inside your ASA.


    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    Leave a Reply

    Your email address will not be published. Required fields are marked *