04-15-2008 08:04 PM - edited 03-11-2019 05:32 AM
Hi,
I just replaced a PIX 515 with an ASA 5510 failover.
The PIX had about 10 static nat translations, and pat on the interface as follows:
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.x 192.168.100.3 netmask 255.255.255.255
static (inside,outside) x.x.x.x 172.16.128.28 netmask 255.255.255.255
static (inside,outside) x.x.x.x 172.16.128.25 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.95.4 netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.50.242 netmask 255.255.255.255
When the pix was replaced with the ASA, the pat off of the interface worked great. I then went to test other sytems, and found that nat was not working.
Upon further review, the traffic wasn't even making it to the ASA for translation. As it turns out, the ISP said that the managed router had incomplete arp entries for all public addresses but our ASA outside interface.
As a temporary solution, I would enter change the IP address on the interface to each of the nat'd addresses, and then back to what it should be. This routine fixed the problem, but then the ISP cleared the ARP table on the router and the problem is back.
What could possibly be going on here?
Thanks,
Jeff
04-16-2008 05:48 AM
So,
Turns out that proxy-arp was disabled. (sysopt noproxyarp outside)
I enabled proxyarp, and the asa responded to arp for the static addresses.
I searched netpro and google for this, and can't believe that I couldn't find it. I guess it makes sense based on how the asa would have to respond for anything it was asked of. Has anyone run into this before?
04-16-2008 07:33 AM
Jeff,
Proxyarp is enabled by default on the outside in 7.x code. Look at the capture below where only when I configure noproxyarp it shows up in the configuration and that would mean it's a user configured value. In your case it looks like someone may have disabled the proxyarp on the outside.
I don't see how the PIX/ASA would respond, without proxyarp enabled, on behalf of host that's configured for static translation if the global address happens to be on the same subnet as the outside of the firewall.
pixfirewall# show run sysopt (factory setting)
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
pixfirewall# config t
pixfirewall(config)# no sysopt noproxyarp outside
pixfirewall(config)# show run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
pixfirewall(config)# sysopt noproxyarp outside
pixfirewall(config)# show run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt noproxyarp outside
sysopt connection permit-vpn
HTH
Sundar
04-16-2008 09:51 AM
Sundar,
Yes, thanks. That's the conclusion that I came to as well.
06-17-2008 05:43 AM
Proxy-arp is normally for arp response on behalf of another device that is on a different segment. For static NATs in the ASA I would think it would reply to these ARPs because they are on the same external subnet and the static NATs are present. Proxy-arp is normally for cross segment arp proxying and I want that disabled. ???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide