Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1316
Views
0
Helpful
4
Replies

ASA not proxy ARPing remote IP address

Go to solution
oldcreek12
Level 1
Level 1

‎07-17-2010 11:47 AM - edited ‎03-11-2019 11:12 AM

Hi, I am setting up a simple site2site VPN between ASA5520 at HQ and ASA5505 in remote office, HQ uses 10.0.0.0/8 network while remote office use 172.30.16.0/20 network, ASA5505's inside IP is 172.30.16.0.254/24, there is a C3560 connect to ASA's inside interface with IP 172.30.16.252/24. IPsec tunnel is fine, however when I ping from 10.1.1.108 from HQ, echo request is sent to C3560 by ASA 5505, but I can not get echo reply back from remote C3560 switch, debug on ASA5505 shows that when C3560 tries to ARP for 10.1.1.108,  ASA5505 does not proxy-ARP it. I have default proxy-arp turned on. I can set C3560's default gateway to ASA5505's inside IP address to avoide proxy-arp, but I don't have network connection to C3560, classical chicken-egg problem.

debug arp  enabled at level 1
asa5505# arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000
arp-set: added arp inside 172.30.16.252 001e.1477.4f40 and updating NPs at 301045040

arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000
arp-set: added arp inside 172.30.16.252 001e.1477.4f40 and updating NPs at 301048040
b arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to oldcreek12

‎07-17-2010 12:30 PM

Hello,

ASA will not Proxy-ARP for every destination unless you have configured NAT

on that interface. If you have configured something like "static

(outside,inside) 10.0.0.0 10.0.0.0 255.0.0.0", then ASA will ARP for it. It

will not Proxy-arp in general as it could lead to catastrophic network

issues.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-17-2010 11:57 AM

Hello,

What is the default gateway on the 3560? Can you ensure that the 3560 has

the default gateway set to the inside of 5505. Also, if you have turned on

routing on 3560, then you should use "ip route 0.0.0.0 0.0.0.0 " form to set the default gateway.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
oldcreek12
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-17-2010 12:20 PM

Thanks, but that is not the point, I don't have to set C3560's default-gateway, ASA5505 is supposed to proxy-arp any ARP requestion coming from C3560. (Beside, as I mentioned, I don't have network connectivity to C3560)

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to oldcreek12

‎07-17-2010 12:30 PM

Hello,

ASA will not Proxy-ARP for every destination unless you have configured NAT

on that interface. If you have configured something like "static

(outside,inside) 10.0.0.0 10.0.0.0 255.0.0.0", then ASA will ARP for it. It

will not Proxy-arp in general as it could lead to catastrophic network

issues.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
oldcreek12
Level 1
Level 1
In response to Nagaraja Thanthry

‎07-17-2010 01:55 PM

Thanks a lot, static NAT allows me to gain remote access to the swit

ch and I am able to configure default route on the switch.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card