We bought L2VPN from our ISP to connect all branches. The ISP assigned a vlan for us to connect to their network. The problem that we are having now is that a branch, which has ARPProxy enabled on outside interface, is broadcasting its MAC address for all ARP request . Is it a expected behavour ? if we disable it, any drawback for security reason ?
I see that it responses to ARP request that received on the outside interface. so, it makes the connection unstable from branches to branches. but some ASA which also in the same vlan (WAN), seem not response to ARP request if it doesn't belong to its IP address. Why ? different iOS version behave differently ?
If your sites are connected by ISP MPLS network then I would imagine that you have no need to use NAT for each sites LAN network?
If this is correct then I dont (at the moment) see any need to have Proxy ARP enabled on any ASAs "outside" interface. The ASA should still answer to ARP requests that try to determine its "outside" interfaces MAC address.
If you have or are planning to NAT some internal hosts to the connected network that connects the ASAs "outside" interfaces then you will run into problems with connectivity if you have Proxy ARP disabled. Then again you could simply choose a NAT subnet for each ASA and have a route for each remote NAT subnet on each ASA so that ARP wouldnt become an issue. But again if you just leave out NAT alltogether for the LANs behind ASAs the ARP should not be a problem.
People have reported ASAs acting differerently depending on the software. Generally this is 8.2 -> 8.4 (etc) updates. But I cant remember reading anything that should change the basic Proxy ARP operation between these softawares but cant be 100% sure.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...