06-30-2013 07:25 PM - edited 03-11-2019 07:05 PM
We bought L2VPN from our ISP to connect all branches. The ISP assigned a vlan for us to connect to their network. The problem that we are having now is that a branch, which has ARPProxy enabled on outside interface, is broadcasting its MAC address for all ARP request . Is it a expected behavour ? if we disable it, any drawback for security reason ?
06-30-2013 09:32 PM
Hello,
The ASA will Proxy-ARP by some reasons:
Receiving a packet to it's outside interface
Receiving a packet to one of the IPs being used on a NAT statement
You can disable that behavior if need it, just be careful as Proxy-ARP it's need it to access devices,
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-30-2013 11:33 PM
Hi,
I see that it responses to ARP request that received on the outside interface. so, it makes the connection unstable from branches to branches. but some ASA which also in the same vlan (WAN), seem not response to ARP request if it doesn't belong to its IP address. Why ? different iOS version behave differently ?
Regards,
06-30-2013 11:43 PM
Hi,
If your sites are connected by ISP MPLS network then I would imagine that you have no need to use NAT for each sites LAN network?
If this is correct then I dont (at the moment) see any need to have Proxy ARP enabled on any ASAs "outside" interface. The ASA should still answer to ARP requests that try to determine its "outside" interfaces MAC address.
If you have or are planning to NAT some internal hosts to the connected network that connects the ASAs "outside" interfaces then you will run into problems with connectivity if you have Proxy ARP disabled. Then again you could simply choose a NAT subnet for each ASA and have a route for each remote NAT subnet on each ASA so that ARP wouldnt become an issue. But again if you just leave out NAT alltogether for the LANs behind ASAs the ARP should not be a problem.
People have reported ASAs acting differerently depending on the software. Generally this is 8.2 -> 8.4 (etc) updates. But I cant remember reading anything that should change the basic Proxy ARP operation between these softawares but cant be 100% sure.
Hope this helps
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: