Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 5505 no proxyarp + ssl vpn

I have an ASA 5505 (running 8.0.4 code) that has to have proxyarp turned off on the inside interface due to the issue described in MS KB 888816.

I am able to establish my vpn connection but I cant talk to any of my servers. When i turn proxyarp back on I can communicate just fine, but as soon as i no proxyarp inside, once the arp times out I am again not able to communicate through the vpn. The vpn clients and the hosts on the inside that I am trying to talk to are all on the same subnet with no NAT between them.

I have also tried doing static arp entries on the 5505, to no avail. Anyone have a workaround to this?

Thanks

Barry

5 REPLIES
Bronze

Re: ASA 5505 no proxyarp + ssl vpn

The problem is that they are in the same subnet, the internal and VPN hosts, so, the only way the packets will arrive the ASA to be forwarded to the VPN client is with proxy arp.

If you want to disable that you need to have another subnet for VPN clients. So you need the default gateway of your network, to point ASA for the new subnet.

New Member

Re: ASA 5505 no proxyarp + ssl vpn

I don't know if its an option to create a third interface on a 5505

Bronze

Re: ASA 5505 no proxyarp + ssl vpn

You don't need a new interface, you need only the VPN IP Pool to be in a different sobnet, that is not the same as your internal network or any other network that is already in use.

The ASA will be in charge to route that to the VPN users as long as the packet arrive to it.

New Member

Re: ASA 5505 no proxyarp + ssl vpn

Yes..your right. I got it. I did your suggestions, but forgot to modify the spilt tunnel/NAT config. Once I did that it is working.

Thanks Much

Bronze

Re: ASA 5505 no proxyarp + ssl vpn

Rate pls.

925
Views
0
Helpful
5
Replies
CreatePlease to create content