07-28-2010 09:20 AM - edited 03-11-2019 11:17 AM
Hi,
I posted this in both firewall and LAN section to get two points of view:
Can anyonehelp me understand an issue with ARP logic? I installed a multi-context firewall and did not use the auto mac command. The router showed (for example) for the subinterfaces on the contexts
arp ip x.x.x.30 mac xxxx.xxxx.fee1
arp ip x.x.x.31 mac xxxx.xxxx.fee1
arp ip x.x.x.32 mac xxxx.xxxx.fee1
IP traffic to the various contexts never flowed. I had to implement the auto mac command which gave each context its own MAC. My question is, is it against the logic to have multiple IPs for one MAC? I did not think it was. Why did I have to use teh auto-mac command on the firewall then? Thanks for any info....
Rob
Solved! Go to Solution.
07-28-2010 09:33 AM
Hi Rob,
Without knowing what your config looks like, I would guess that traffic failed without the auto-generated MACs because you didn't have NAT statements setup for the addresses in each context. When interfaces are shared in multiple context mode, the shared interfaces will all use the same MAC address by default (as you noticed). In order to determine which context a packet needs to go to when it is received by the ASA, it tries to match the destination IP to a NAT statement in a context since the MAC will always be the same. This link will explain the process a little better:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806
Specifically, you want to look at the "Unique MAC Addresses" and "NAT Configuration" sections. They explain the issue you were having:
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup....The classifier matches the destination IP address to either a static command or a global command.
To fix the problem, you can either have the ASA auto-generate unique MACs for the contexts, or setup NAT like the examples noted in the link above.
Hope that helps.
-Mike
07-28-2010 09:33 AM
Hi Rob,
Without knowing what your config looks like, I would guess that traffic failed without the auto-generated MACs because you didn't have NAT statements setup for the addresses in each context. When interfaces are shared in multiple context mode, the shared interfaces will all use the same MAC address by default (as you noticed). In order to determine which context a packet needs to go to when it is received by the ASA, it tries to match the destination IP to a NAT statement in a context since the MAC will always be the same. This link will explain the process a little better:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806
Specifically, you want to look at the "Unique MAC Addresses" and "NAT Configuration" sections. They explain the issue you were having:
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup....The classifier matches the destination IP address to either a static command or a global command.
To fix the problem, you can either have the ASA auto-generate unique MACs for the contexts, or setup NAT like the examples noted in the link above.
Hope that helps.
-Mike
07-28-2010 09:37 AM
Mike,
Great. Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide