ASA 5505 8.4(3) not responding to ARP requests from different su - Page 2

mika_cesim · ‎02-22-2012

Hi,

We have a problem of setting up an ASA for our network's edge:

We have IP address

XX.150.85.91/255.255.255.0 setup for our ASA's outside interface. We have another IP-address in same block XX.150.85.85 setup for static nat for one of our internal servers. We have a static route setup via default gateway XX.150.85.254.

Everything is fine and working for the outside interface IP, but the natted IP does not work. It WORKS if we test it from host directly attached to the outside interface (using a switch), but it does not work further from internet. IP traffic does not get routed to its destination (the outside interface of ASA).

Proxy arp is enabled and we can see from the host directly attached to outside interface that the IP XX.150.85.85 resolves to outside interface's mac address as it is supposed to.

We have isolated the problem to the following using "debug arp" which outputs:

> arp-in: Arp packet received from XX.145.193.133 which is in different subnet than the connected interface XX.150.85.91/255.255.255.0

It seems that they want us to respond to an ARP request from a router in different subnet. This seems to be quite evil behaviour and I understand that ASA does not respond to the request by default. Is there a way to change this behavior of ASA? I think that operator is not willing to change their setup.

I suppose that this also means that our outgoing traffic is routed through the default gw XX.150.85.254, but incoming traffic comes directly from the next hop router revealed by "debug arp": XX.145.193.133.

-Mika

j.cusick · ‎09-14-2012

You can try this:

changed no arp permit-nonconnected

to

arp permit-nonconnected

Keep security in mind but could be a temp work around until you can reach the upstream or provider.

Julio Carvajal · ‎10-29-2012

Hello J,

Exactly after 8.4.3 the Proxy-Arp behavior of the ASA does not longer happen so you need to apply any of the work-arounds available,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rchockeelopez · ‎10-29-2012

Thanks for the tip. Can you mention all the workarounds available?

Julio Carvajal · ‎10-29-2012

Hello,

Actualy the workaround would be to configure the ISP modem or outside router with a static route pointing to the ASA as the ip address of the new range.

So lets say

ASA-4.2.2.0/24-----Router

But you just bought the new range 8.8.8.0/24

So you configure the NAT on the ASA as regular and on the router you create an entry like this

ip route 8.8.8.0 255.255.255.0 4.2.2.1 ( ASA_ip)

That will do it

Remember to rate all of the helpful posts ( if you need assistance on how to rate a post just let me know, I will help you)

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rchockeelopez · ‎10-29-2012

Thanks jcarvaja,

I will need to add the route in the router plus the static ARP in the ASA right?

But how can the ASA respond to the ARP request of the router? With a "debug arp" I see the log receiving the ARP request but from a different subnet.

Julio Carvajal · ‎10-29-2012

Hello,

No, you do not need the static arp on the ASA,

The difference between 8.4.3 and higher from the older versions is that the ASA is not longer going to say Hey everybody I have x.x.x.x... Now the ASA will only response to request saying do you have x.x.x.x

So yes, the ASA will reply to messages on a different subnet ( How: proxy-arp eventhough he will no let anyone about it)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

MINGJU YU · ‎11-12-2012

Dear All

If your ASA image is the 8.6,maybe you can try to upgrade to the 9.0. The Command Reference has the "arp non-connected-subnet" ,it's behavior is just like the before "arp permit-nonconnected"! But this version is published very lately(10/29......).SO...Take care.

See Command Reference--- http://www.cisco.com/en/US/docs/security/asa/asa90/command/reference/a3.html#wp1814531

Lance Wendel · ‎02-01-2013

Hi All,

I have the same kind of issue like Mika, we were experiencing the same issue. the only thing here is in front of the ASA

we have HSRP. looking at the router we could see Static NAT has the correct L2 address of the ASA. however when trying to establish the connection from outside this is not possible.

Once we disable the proxy-arp this works as it should. though cisco says for static NAT requires proxy-arp(understandable) to be enabled this would only works once we disabled the proxy-arp.

my question here is if we disable the proxy-arp on each static NAT then enable globally proxy-arp would this work.

e.g.

nat (inside,outside) source static objname1 objname1 destination static objname1 objname1 no-proxy-arp

nat (inside,outside) source static any any unidirectional

I have attahed a diagram (not really a good one), but explain a bit what was happening

thanks in advance

Lancellot

Lance Wendel · ‎02-04-2013

any one ? someone? please!!!

Jouni Forss · ‎02-04-2013

Hi,

It would be good to make a new post about the issue an perhaps link this thread/post to your new post for reference so that the information about your case stays clear and easy to read.

Also what is your software? I think they introduced a command to avoid these ARP issues in the new software. Think the command was "arp permit-nonconnected"

How have you configured the Router infront of the ASA? Does it have a secondary network configured for the NAT range?

Could you try to remove the "secondary" address range from the router (if it exists) and simply configure static routes pointing the NAT IP address range/subnet towards the ASA outside IP address and see if that makes a difference.

- Jouni

ASA 5505 8.4(3) not responding to ARP requests from different subnet