When the pix was replaced with the ASA, the pat off of the interface worked great. I then went to test other sytems, and found that nat was not working.
Upon further review, the traffic wasn't even making it to the ASA for translation. As it turns out, the ISP said that the managed router had incomplete arp entries for all public addresses but our ASA outside interface.
As a temporary solution, I would enter change the IP address on the interface to each of the nat'd addresses, and then back to what it should be. This routine fixed the problem, but then the ISP cleared the ARP table on the router and the problem is back.
Turns out that proxy-arp was disabled. (sysopt noproxyarp outside)
I enabled proxyarp, and the asa responded to arp for the static addresses.
I searched netpro and google for this, and can't believe that I couldn't find it. I guess it makes sense based on how the asa would have to respond for anything it was asked of. Has anyone run into this before?
Proxyarp is enabled by default on the outside in 7.x code. Look at the capture below where only when I configure noproxyarp it shows up in the configuration and that would mean it's a user configured value. In your case it looks like someone may have disabled the proxyarp on the outside.
I don't see how the PIX/ASA would respond, without proxyarp enabled, on behalf of host that's configured for static translation if the global address happens to be on the same subnet as the outside of the firewall.
Proxy-arp is normally for arp response on behalf of another device that is on a different segment. For static NATs in the ASA I would think it would reply to these ARPs because they are on the same external subnet and the static NATs are present. Proxy-arp is normally for cross segment arp proxying and I want that disabled. ???
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...