Problem with ASA and ISP cable modem

Unanswered Question
Mar 17th, 2009
User Badges:

Hi gurus!

Not sure if it is right section to ask this question but it is generic one that has to do with the ASA.

This is the problem. The ASA is connected to Shaw ISP via a cable modem. We are assigned 4 IPs addresses one of them is physically configured for the ASA outside interface. All other three IPs are statically translated by the ASA into the inside IPs. About once in week we loose connectivity from outside to those translated hosts. All traffic to IPs other than the IP physically assigned to the ASA stops flowing.

The call to the ISP ends up with a standard question and recommendation: connect a PC to the cable modem and try again. And it of course it works. Power cycling or resetting the modem helps as well and then we are safe for uncertain amount of time.

Moreover, the smart support guys from the ISP say it will only work if there's one-to-one mapping IP address to MAC address. How the hell it works all this time?

The ASA has proxy-arp configured on its outside interface and supposedly replies with the outside interface's MAC address to the sender of the packet destined to the secondary (or tertiary) IP address.

Is there any way to fix it once and for all on the ASA side and if not what I am supposed to say to ISP know-it-alls ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tshi M Fri, 03/20/2009 - 08:28
User Badges:
  • Silver, 250 points or more

Did you try to remove the proxy-arp from the outside interface? Below are known proxy-arp disadvantages:

It increases the amount of ARP traffic on your segment.

Hosts need larger ARP tables in order to handle IP-to-MAC address mappings.

Security can be undermined. A machine can claim to be another in order to intercept packets, an act called "spoofing."

It does not work for networks that do not use ARP for address resolution.

It does not generalize to all network topologies. For example, more than one router that connects two physical networks

zheka_pefti Fri, 03/20/2009 - 09:22
User Badges:

Proxy-arp is intentionally enabled on the outside interface. How would ASA answer ARP requests destined for the IP addresses other than its primary one?


This Discussion