Does ASA repond to ARP requests?

Unanswered Question
Jul 17th, 2008
User Badges:

Hi All,

I have 2 5520 ASAs for serving remote access VPN sessions. I have configured the switch ports for both ASAs in a community private vlan.

I have a need where the VPN clients need to talk to each other. If I reconfigure the ASA port to a regular switchport vlan, will the clients be able to talk to each other?

Does the ASA respond to ARP requests? Also, do I need to permit same security traffic in order for the clients to talk?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Fri, 07/18/2008 - 09:36
User Badges:
  • Gold, 750 points or more

Hello Meena,

"If I reconfigure the ASA port to a regular switchport vlan"

Why would you need that? An Interface needs and IP address to have an arp table, or function as proxy-arp as requested.

If all you need is connectivity between outside VPN clients, all you need is same-security-traffic permit intra-interface

Dont know if your ASAs are in failover mode, but assuming not, and if you need VPN client connected to ASAx to be able to talkt to VPN client connected to Y, all you need is a simple static route in firewalls.

Please describe more, if I have misunderstood the issue.


mchockalingam Mon, 07/21/2008 - 06:43
User Badges:

Yes, I misunderstood that hair-pinning the traffic and allowing the same-security interface traffic are same. I did not want to hair-pin the traffic but now I realized that they are 2 different things.

Also, the ASAs are in a cluster and so they are in a community vlan for the VCA (hearbeats) to work.

I had to permit the same security interface traffic permitted to solve the problem.

Thanks for your help.


This Discussion