Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
3
Replies

ARPproxy is enabled by default on Cisco ASA

ty.chan007
Level 1
Level 1

‎06-30-2013 07:25 PM - edited ‎03-11-2019 07:05 PM

We bought L2VPN from our ISP to connect all branches. The ISP assigned a vlan for us to connect to their network. The problem that we are having now is that a branch, which has ARPProxy enabled on outside interface, is broadcasting its MAC address for all ARP request . Is it a expected behavour ? if we disable it, any drawback for security reason ?

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎06-30-2013 09:32 PM

Hello,

The ASA will Proxy-ARP by some reasons:

Receiving a packet to it's outside interface

Receiving a packet to one of the IPs being used on a NAT statement

You can disable that behavior if need it, just be careful as Proxy-ARP it's need it to access devices,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ty.chan007
Level 1
Level 1
In response to Julio Carvajal

‎06-30-2013 11:33 PM

Hi,

I see that it responses to ARP request that received on the outside interface. so, it makes the connection unstable from branches to branches. but some ASA which also in the same vlan (WAN), seem not response to ARP request if it doesn't belong to its IP address. Why ? different iOS version behave differently ?

Regards,

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to ty.chan007

‎06-30-2013 11:43 PM

Hi,

If your sites are connected by ISP MPLS network then I would imagine that you have no need to use NAT for each sites LAN network?

If this is correct then I dont (at the moment) see any need to have Proxy ARP enabled on any ASAs "outside" interface. The ASA should still answer to ARP requests that try to determine its "outside" interfaces MAC address.

If you have or are planning to NAT some internal hosts to the connected network that connects the ASAs "outside" interfaces then you will run into problems with connectivity if you have Proxy ARP disabled. Then again you could simply choose a NAT subnet for each ASA and have a route for each remote NAT subnet on each ASA so that ARP wouldnt become an issue. But again if you just leave out NAT alltogether for the LANs behind ASAs the ARP should not be a problem.

People have reported ASAs acting differerently depending on the software. Generally this is 8.2 -> 8.4 (etc) updates. But I cant remember reading anything that should change the basic Proxy ARP operation between these softawares but cant be 100% sure.

Hope this helps

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card