Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA not proxy ARPing remote IP address

Hi, I am setting up a simple site2site VPN between ASA5520 at HQ and ASA5505 in remote office, HQ uses 10.0.0.0/8 network while remote office use 172.30.16.0/20 network, ASA5505's inside IP is 172.30.16.0.254/24, there is a C3560 connect to ASA's inside interface with IP 172.30.16.252/24. IPsec tunnel is fine, however when I ping from 10.1.1.108 from HQ, echo request is sent to C3560 by ASA 5505, but I can not get echo reply back from remote C3560 switch, debug on ASA5505 shows that when C3560 tries to ARP for 10.1.1.108,  ASA5505 does not proxy-ARP it. I have default proxy-arp turned on. I can set C3560's default gateway to ASA5505's inside IP address to avoide proxy-arp, but I don't have network connection to C3560, classical chicken-egg problem.

debug arp  enabled at level 1
asa5505# arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000
arp-set: added arp inside 172.30.16.252 001e.1477.4f40 and updating NPs at 301045040

arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000
arp-set: added arp inside 172.30.16.252 001e.1477.4f40 and updating NPs at 301048040
b arp-in: request at inside from 172.30.16.252 001e.1477.4f40 for 10.1.1.108 0000.0000.0000

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA not proxy ARPing remote IP address

Hello,

ASA will not Proxy-ARP for every destination unless you have configured NAT

on that interface. If you have configured something like "static

(outside,inside) 10.0.0.0 10.0.0.0 255.0.0.0", then ASA will ARP for it. It

will not Proxy-arp in general as it could lead to catastrophic network

issues.

Hope this helps.

Regards,

NT

4 REPLIES
Cisco Employee

Re: ASA not proxy ARPing remote IP address

Hello,

What is the default gateway on the 3560? Can you ensure that the 3560 has

the default gateway set to the inside of 5505. Also, if you have turned on

routing on 3560, then you should use "ip route 0.0.0.0 0.0.0.0 " form to set the default gateway.

Hope this helps.

Regards,

NT

New Member

Re: ASA not proxy ARPing remote IP address

Thanks, but that is not the point, I don't have to set C3560's default-gateway, ASA5505 is supposed to proxy-arp any ARP requestion coming from C3560. (Beside, as I mentioned, I don't have network connectivity to C3560)

Cisco Employee

Re: ASA not proxy ARPing remote IP address

Hello,

ASA will not Proxy-ARP for every destination unless you have configured NAT

on that interface. If you have configured something like "static

(outside,inside) 10.0.0.0 10.0.0.0 255.0.0.0", then ASA will ARP for it. It

will not Proxy-arp in general as it could lead to catastrophic network

issues.

Hope this helps.

Regards,

NT

New Member

Re: ASA not proxy ARPing remote IP address

Thanks a lot, static NAT allows me to gain remote access to the swit

ch and I am able to configure default route on the switch.

1020
Views
0
Helpful
4
Replies
CreatePlease to create content