I use a cisco ASA firewall in a L3 configuration.
Result of the command: "show running-config sysopt"
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
The problem is that the ASA is answering to all arp requests on the inside lan!
Is this a default setting for the ASA to answer all arp requests?
Do i have to disable this and how?
If you are using the inside interface IP for overloading, then it should not be a problem.
global (inside) 1 interface
If you do not have the above line and all you are doing is NATing inside addresses to some other address when they are going out (to DMZ or outside), then also you will not have any issues. But if you are using some thing like
global (inside) 1 10.1.1.100
and 10.1.1.100 is not the address of the inside interface, then if you turnoff proxy-arp on the inside interface, it might have an issue. In this case, the workaround would be to add a static ARP entry:
arp inside 10.1.1.100 alias
This will ensure that the inside interface responds to arp queries when the destination address is 10.1.1.100.
Hope this helps.
To Add to halijenn's post, when you disable proxy arp on the inside (or any other) interface, make sure that you are not doing any NAT on that interface i.e. static (DMZ,inside) for example. The moment you disable proxy arp, the firewall will stop proxy-arping for the valid IP addresses it is hosting through NAT. So, in the above scenario, the firewall will not respond to the NATTED IP of the DMZ server.
Hope this helps.
You are right. Proxy arp is enabled by default.
Here is how to disable proxy arp for the inside interface:
sysopt noproxyarp inside
Here is the command for your reference:
Hope that helps.