Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ARPproxy is enabled by default on Cisco ASA

We bought L2VPN from our ISP to connect all branches. The ISP assigned a vlan for us to connect to their network. The problem that we are having now is that a branch, which has ARPProxy enabled on outside interface, is broadcasting its MAC address for all ARP request . Is it a expected behavour ? if we disable it, any drawback for security reason ?

  • Firewalling
3 REPLIES

ARPproxy is enabled by default on Cisco ASA

Hello,

The ASA will Proxy-ARP by some reasons:

Receiving a packet to it's outside interface

Receiving a packet to one of the IPs being used on a NAT statement

You can disable that behavior if need it, just be careful as Proxy-ARP it's need it to access devices,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ARPproxy is enabled by default on Cisco ASA

Hi,

I see that it responses to ARP request that received on the outside interface. so, it makes the connection unstable from branches to branches. but some ASA which also in the same vlan (WAN), seem not response to ARP request if it doesn't belong to its IP address. Why ? different iOS version behave differently ?

Regards,

Super Bronze

ARPproxy is enabled by default on Cisco ASA

Hi,

If your sites are connected by ISP MPLS network then I would imagine that you have no need to use NAT for each sites LAN network?

If this is correct then I dont (at the moment) see any need to have Proxy ARP enabled on any ASAs "outside" interface. The ASA should still answer to ARP requests that try to determine its "outside" interfaces MAC address.

If you have or are planning to NAT some internal hosts to the connected network that connects the ASAs "outside" interfaces then you will run into problems with connectivity if you have Proxy ARP disabled. Then again you could simply choose a NAT subnet for each ASA and have a route for each remote NAT subnet on each ASA so that ARP wouldnt become an issue. But again if you just leave out NAT alltogether for the LANs behind ASAs the ARP should not be a problem.

People have reported ASAs acting differerently depending on the software. Generally this is 8.2 -> 8.4 (etc) updates. But I cant remember reading anything that should change the basic Proxy ARP operation between these softawares but cant be 100% sure.

Hope this helps

- Jouni

114
Views
0
Helpful
3
Replies