Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5520: proxyarp question

I understand that proxyarp is enabled by default on the fw....with this enabled would it cause internal network routing issues? (responding to arp requests) should proxyarp be enabled for outside interface as well?

currently i have it DISABLED but not able to reach server which has static translation config'd unless i enable it.

thanks for any info

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ASA5520: proxyarp question

Hi

You need proxyarp enabled if you want the ASA to respond to arps for static translations eg.

static (inside,outside) 193.10.10.10 192.168.5.10 netmask 255.255.255.255

If a machine on the outside arps out for 193.10.10.10 then the ASA needs to respond with it's outside interfaces mac-address and then when the packet is forwarded to the ASA it then translates it to 192.168.5.10 and forwards it on through it's inside interface.

However you can disable proxyarp on a per interface basis so if you think it is causing problems you could try disabling it on your inside interface only.

Please see attached link for details

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1542397

HTH

Jon

1 REPLY
Hall of Fame Super Blue

Re: ASA5520: proxyarp question

Hi

You need proxyarp enabled if you want the ASA to respond to arps for static translations eg.

static (inside,outside) 193.10.10.10 192.168.5.10 netmask 255.255.255.255

If a machine on the outside arps out for 193.10.10.10 then the ASA needs to respond with it's outside interfaces mac-address and then when the packet is forwarded to the ASA it then translates it to 192.168.5.10 and forwards it on through it's inside interface.

However you can disable proxyarp on a per interface basis so if you think it is causing problems you could try disabling it on your inside interface only.

Please see attached link for details

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1542397

HTH

Jon

318
Views
0
Helpful
1
Replies
This widget could not be displayed.