ASA Proxy-Arp + Forward

Unanswered Question
Mar 3rd, 2008
User Badges:

Is it possible for an ASA to proxy-arp for an IP, and forward requests for that IP to a different destination?

Scenario: We removed our internal DNS server to a completely different facility. The network is to be completely dismantled. We just found out we need to keep the network up for one more week, but the DNS server is now gone. I'd like the ASA to answer requests for the old DNS server IP, but them forward them on to our ISP's DNS server. Failing this, I'll have to have the client change all their DNS settings to the ISP's DNS server and allow the traffic through the ASA. Thanks for any assistance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brettmilborrow Tue, 03/04/2008 - 08:15
User Badges:

Are you saying you want the ASA to answer a request as well as forward the request back to another host on the same interface? i.e outside interface? If so, then yes you can.

e.g: = your old DNS = ISP DNS


static (outside,outside) netmask

you will also need the following command:

same-security-traffic permit intra-interface

this command allows traffic to enter and exit the same ASA interface.

you will also need to configure your access-lists to allow the traffic on the acl applied to the 'outside' interface.

access-list acl_outside permit ip any host eq 53


static (outside,outside) netmask

same-security-traffic permit intra-interface

access-list acl_outside permit ip any host eq 53


This Discussion