ASA-2-106016 on same interface, but two subnets

Unanswered Question
Feb 19th, 2014
User Badges:


I get a strange problem here. We got another subnet from our ISP because we needed another block of IPs. Everything works fine, except one thing:

  Deny IP spoof from (XXX.XXX.XXX.XXX) to XXX.XXX.XXX.XXX on interface outside

The source IP is our main IP from our primary subnet and the destination is one of the IP in the new subnet. Do I need to add a special rule to allow this trafic??

Cisco ASA 5510

ASA Version 9.1(1)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 02/19/2014 - 13:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Could you tell us how you are using the second subnet that the ISP provided? And it might help if you would post from the config at least the parts that deal with both of the subnets? It is difficult to know if you need to add something until we know what you already have.



druideinformatique Thu, 02/20/2014 - 06:25
User Badges:

Hi Richard,

XXX.XXX.XXX is the primary subnet, YYY.YYY.YYY is the secondary.

Interface Ethernet0/1 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Input flow control is unsupported, output flow control is off

IP address XXX.XXX.XXX.42, subnet mask

interface Ethernet0/1

nameif outside

security-level 0

ip address XXX.XXX.XXX.42

related config:

object network bloc-externe-supp

subnet YYY.YYY.YYY.32

object network YYY.YYY.YYY.34

host YYY.YYY.YYY.34

route outside XXX.XXX.XXX.41 1

route outside YYY.YYY.YYY.32 YYY.YYY.YYY.33 1

INGENIERIA Y CO... Wed, 02/19/2014 - 13:47
User Badges:

that's almost normal behavior on ASA if you don't enable the Proxy ARP on that interface and enabled anti-spoofing.

try with this.

ip verify reverse-path interface [interface_name (inside/outside/dmz)]

and this one

 arp permit-nonconnected

and this other one.

 no sysopt noproxyarp [interface_name (inside/outside/dmz)]

let us know if fix your problem !!!

had a great day!

druideinformatique Thu, 02/20/2014 - 06:28
User Badges:


I do have "arp permit-nonconnected", but not the other two. I will try it early next week.


This Discussion