Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
0
Helpful
2
Replies

ASA Firewall cannot answer ARP request unexpectedly

benche
Level 1
Level 1

‎07-09-2007 05:31 PM - edited ‎03-11-2019 03:42 AM

My customer has an ASA running 7.2.2, a Cisco 2950 switch and a Cisco 2621XM, the router is located at the outside interface of the ASA, which IP subnet is 172.16.1.0/24. End users and a FTP client are behind the ASA, that means all the clients are located at the Inside interface, which IP subnet is 192.168.2.0/24. The 2950 switch has multiple VLAN for different zones for the router and ASA's physical connections.

In this network, all the users need to access the other network through the ASA then router, ASA will perform NAT. There was a static NAT entry to map 172.16.1.1 to 192.168.2.1, then the same global IP 172.16.1.1 also be the PAT for subnet 192.168.2.0/24. Firewall policy is permit IP any any.

The problem is that when the users connects to remote site, I can see static & dynamic NAT entries created in NAT table and the traffic is permitted, but the connection status is always "saA" shown in "show conn", until I plug a laptop at the VLAN which is for the outside interface of ASA and the 2621XM, laptop's IP address is 172.16.1.x, all the connections can be created smoothly.

But when I unplug the laptop's network cable, the connection fails again.

Anyway, there is no any IP conflict, my laptop's IP address is not in the scope of ASA's NAT pool.

Labels:
0 Helpful
2 Replies 2

cmcbride
Level 1
Level 1

‎07-10-2007 09:53 AM

I'm unable to puzzle out what might be the problem here. You may need to post a sanitized version of the config.

0 Helpful

vitripat
Level 7
Level 7

‎07-10-2007 11:00 AM

What is the IP address of outside interface of ASA?

Are you able to ping the remote server from ASA itself?

When you say that all connections can be created smoothly after connecting laptop to outside vlan, are these connections from laptop on outside vlan or from hosts on the inside vlan?

I dont see an ARP issue here as when traffic moves outbound through the ASA and hits the router, router will create the ARP entry in its own cache. It seems that return traffic is not coming back to ASA, evidence for this is "saA" connection flags. This means connection was successfully made outbound, however, nothing ever returned back to ASA.

Please check the answers for above questions and keep us posted.

Regards,

Vibhor.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card