02-22-2012 04:19 AM - edited 03-11-2019 03:33 PM
Hi,
We have a problem of setting up an ASA for our network's edge:
We have IP address
XX.150.85.91/255.255.255.0 setup for our ASA's outside interface. We have another IP-address in same block XX.150.85.85 setup for static nat for one of our internal servers. We have a static route setup via default gateway XX.150.85.254.
Everything is fine and working for the outside interface IP, but the natted IP does not work. It WORKS if we test it from host directly attached to the outside interface (using a switch), but it does not work further from internet. IP traffic does not get routed to its destination (the outside interface of ASA).
Proxy arp is enabled and we can see from the host directly attached to outside interface that the IP XX.150.85.85 resolves to outside interface's mac address as it is supposed to.
We have isolated the problem to the following using "debug arp" which outputs:
> arp-in: Arp packet received from XX.145.193.133 which is in different subnet than the connected interface XX.150.85.91/255.255.255.0
It seems that they want us to respond to an ARP request from a router in different subnet. This seems to be quite evil behaviour and I understand that ASA does not respond to the request by default. Is there a way to change this behavior of ASA? I think that operator is not willing to change their setup.
I suppose that this also means that our outgoing traffic is routed through the default gw XX.150.85.254, but incoming traffic comes directly from the next hop router revealed by "debug arp": XX.145.193.133.
-Mika
09-14-2012 12:56 PM
You can try this:
changed no arp permit-nonconnected
to
arp permit-nonconnected
Keep security in mind but could be a temp work around until you can reach the upstream or provider.
10-29-2012 05:57 PM
Hello J,
Exactly after 8.4.3 the Proxy-Arp behavior of the ASA does not longer happen so you need to apply any of the work-arounds available,
Regards,
Julio
10-29-2012 06:30 PM
Thanks for the tip. Can you mention all the workarounds available?
10-29-2012 08:17 PM
Hello,
Actualy the workaround would be to configure the ISP modem or outside router with a static route pointing to the ASA as the ip address of the new range.
So lets say
ASA-4.2.2.0/24-----Router
But you just bought the new range 8.8.8.0/24
So you configure the NAT on the ASA as regular and on the router you create an entry like this
ip route 8.8.8.0 255.255.255.0 4.2.2.1 ( ASA_ip)
That will do it
Remember to rate all of the helpful posts ( if you need assistance on how to rate a post just let me know, I will help you)
Julio
10-29-2012 08:52 PM
Thanks jcarvaja,
I will need to add the route in the router plus the static ARP in the ASA right?
But how can the ASA respond to the ARP request of the router? With a "debug arp" I see the log receiving the ARP request but from a different subnet.
10-29-2012 09:33 PM
Hello,
No, you do not need the static arp on the ASA,
The difference between 8.4.3 and higher from the older versions is that the ASA is not longer going to say Hey everybody I have x.x.x.x... Now the ASA will only response to request saying do you have x.x.x.x
So yes, the ASA will reply to messages on a different subnet ( How: proxy-arp eventhough he will no let anyone about it)
Regards,
Julio
11-12-2012 03:18 AM
Dear All
If your ASA image is the 8.6,maybe you can try to upgrade to the 9.0. The Command Reference has the "arp non-connected-subnet" ,it's behavior is just like the before "arp permit-nonconnected"! But this version is published very lately(10/29......).SO...Take care.
See Command Reference--- http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/a3.html#wp1814531
02-01-2013 05:16 AM
Hi All,
I have the same kind of issue like Mika, we were experiencing the same issue. the only thing here is in front of the ASA
we have HSRP. looking at the router we could see Static NAT has the correct L2 address of the ASA. however when trying to establish the connection from outside this is not possible.
Once we disable the proxy-arp this works as it should. though cisco says for static NAT requires proxy-arp(understandable) to be enabled this would only works once we disabled the proxy-arp.
my question here is if we disable the proxy-arp on each static NAT then enable globally proxy-arp would this work.
e.g.
nat (inside,outside) source static objname1 objname1 destination static objname1 objname1 no-proxy-arp
nat (inside,outside) source static any any unidirectional
I have attahed a diagram (not really a good one), but explain a bit what was happening
thanks in advance
Lancellot
02-04-2013 05:57 AM
any one ? someone? please!!!
02-04-2013 06:44 AM
Hi,
It would be good to make a new post about the issue an perhaps link this thread/post to your new post for reference so that the information about your case stays clear and easy to read.
Also what is your software? I think they introduced a command to avoid these ARP issues in the new software. Think the command was "arp permit-nonconnected"
How have you configured the Router infront of the ASA? Does it have a secondary network configured for the NAT range?
Could you try to remove the "secondary" address range from the router (if it exists) and simply configure static routes pointing the NAT IP address range/subnet towards the ASA outside IP address and see if that makes a difference.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide