ASA 5505 no proxyarp + ssl vpn

Unanswered Question
Oct 30th, 2008

I have an ASA 5505 (running 8.0.4 code) that has to have proxyarp turned off on the inside interface due to the issue described in MS KB 888816.

I am able to establish my vpn connection but I cant talk to any of my servers. When i turn proxyarp back on I can communicate just fine, but as soon as i no proxyarp inside, once the arp times out I am again not able to communicate through the vpn. The vpn clients and the hosts on the inside that I am trying to talk to are all on the same subnet with no NAT between them.

I have also tried doing static arp entries on the 5505, to no avail. Anyone have a workaround to this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
guibarati Fri, 10/31/2008 - 04:30

The problem is that they are in the same subnet, the internal and VPN hosts, so, the only way the packets will arrive the ASA to be forwarded to the VPN client is with proxy arp.

If you want to disable that you need to have another subnet for VPN clients. So you need the default gateway of your network, to point ASA for the new subnet.

BARRY GROSS Mon, 11/03/2008 - 10:33

I don't know if its an option to create a third interface on a 5505

guibarati Mon, 11/03/2008 - 10:38

You don't need a new interface, you need only the VPN IP Pool to be in a different sobnet, that is not the same as your internal network or any other network that is already in use.

The ASA will be in charge to route that to the VPN users as long as the packet arrive to it.

BARRY GROSS Mon, 11/03/2008 - 10:57

Yes..your right. I got it. I did your suggestions, but forgot to modify the spilt tunnel/NAT config. Once I did that it is working.

Thanks Much


This Discussion