Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Proxy ARP defaults

I just setup my first ASA, a 5515-x with 9.1.  It was a straight forward setup: inside, outside, dmz and guest.  A few servers with static NATs to the outside, they are in the DMZ and on the inside LAN. Everything works.

I then went through a tutorial that recommended that Proxy ARP be disabled on all interfaces. This breaks the servers with the static NAT. So I re-enable Proxy ARP on the outside interface and it works again.

Should I leave it disabled on all the other interfaces?

Thanks...Jim

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Proxy ARP defaults

Hi,

Most of the time I disable Proxy ARP on all the interfaces except for the external interface connected to Internet.

Naturally if you were to configure NAT between some other interface which used and IP address from a connected network as the NAT IP address then you would have to enable Proxy ARP on the interface towards which you are mapping/NATing the address.

The default setting on ASA is to have Proxy ARP enabled on all interface.

In some cases you might even be able to disable Proxy ARP on all the interface but that would require playing around with static routes so the connected routers would know to forward packets directly to ASA (and would therefore NOT use ARP request even if they had the "directly connected" route for the destination address also)

But I would imagine you could leave the external interface enabled with Proxy ARP and disable in on all others unless you happen to need to do some NAT that requires enabling in on some internal interface also (not that common in basic setups)

- Jouni

1 REPLY
Super Bronze

Proxy ARP defaults

Hi,

Most of the time I disable Proxy ARP on all the interfaces except for the external interface connected to Internet.

Naturally if you were to configure NAT between some other interface which used and IP address from a connected network as the NAT IP address then you would have to enable Proxy ARP on the interface towards which you are mapping/NATing the address.

The default setting on ASA is to have Proxy ARP enabled on all interface.

In some cases you might even be able to disable Proxy ARP on all the interface but that would require playing around with static routes so the connected routers would know to forward packets directly to ASA (and would therefore NOT use ARP request even if they had the "directly connected" route for the destination address also)

But I would imagine you could leave the external interface enabled with Proxy ARP and disable in on all others unless you happen to need to do some NAT that requires enabling in on some internal interface also (not that common in basic setups)

- Jouni

513
Views
0
Helpful
1
Replies