Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7193
Views
2
Helpful
6
Replies

CISCO ASA static NAT and ARP

modestusl
Level 1
Level 1

‎07-27-2006 09:20 AM - edited ‎02-21-2020 01:04 AM

Hi,

Scenario:

The LAN interface of the internet router is connected to a layer 2 switch. There are many gateways (Firewalls) are connected to this Switch. We connected the ASA Firewall outside interface to this switch. We do have web servers behind the ASA Firewall and we configured static NAT on the firewall for these Servers. The Internet Router is not configured with any static-routes to route the Web Server traffic to the Firewall.

Question:

Can we configure the CISCO ASA Firewall to reply with it?s outside MAC Address for the ARP requests from the router for the public IP addresses (NATed) of the Web Servers?

Note: Customer is not willing to change any configuration on the Router to add the static-routes. The existing WatchGuard can work on his current environment and he is thinking of replacing this Firewall with the CISCO ASA Firewall due to some performance issue.

Regards,

Modestus

0 Helpful
6 Replies 6

fred.s.mollenkopf
Level 7
Level 7

‎07-27-2006 10:13 AM

If the NATed IPs are in the same subnet as the PIXs outside interface, then you don't need to configure anything special for this to occur other than a Static translation. When you create the translation the PIX will automatically reply to ARP requests with addresses it is maintaining in it's translation table. I'm not entirely sure if it will do it for a set of addresses from another subnet then the outside interface though. The first one I've done before.

Please rate any helpful posts

Thanks

Fred

0 Helpful

anand1871
Level 1
Level 1

‎07-29-2006 06:48 AM

If the ASA interface IP address and the NAtted IP of the web server are in the same subnet then.

A) The outside mac address for the ARP request from the router for the public IP addresses (NATed) of the Web Servers would be the MAC-address of the outside interface of the ASA.

U dont have to do any configuration for the reachbility. No static routes or anything is needed

0 Helpful

Fernando_Meza
Level 7
Level 7

‎07-29-2006 12:29 PM

Hi ... the ASA by default responds to ARP request for any statics configured on any of its interfaces. As long as the global IP that is being used is on the same network of one of its interfaces, otherwise you need to add one static route on your Internet router.

Please see the below explanation about proxy arp.

" When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the

MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A

host sends an ARP request asking ?Who is this IP address?? The device owning the IP address replies,

?I own that IP address; here is my MAC address.?

Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the

device does not own the IP address.

The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses"

I hope it helps .. please rate it if it does !!!

0 Helpful

modestusl
Level 1
Level 1
In response to Fernando_Meza

‎07-31-2006 12:58 AM

Hi Guys,

Thanks for your response.

I tried configuring Static NAT on the ASA Firewall, and replace the existing Watchguard Firewall with the ASA, but I found that the Perimeter Router is not redirecting the Web requests to the ASA. I suspect due to the ARP cache on the router it is trying to redirect the traffic to the previous Firewall MAC address.

As I metioned before due to some reasons the Static Routes cannot be configures on the Perimeter Router.

How can I configure the ASA to broadcast its MAC address to the perimeter Router for the NATed IP addresses (global IPs) of the Web Servers?

I did simulate the environment in my lab with static route configured on the perimeter router, it works fine with the ASA. But I cannot use static route in my customer's environment.

Regards,

Modestus

0 Helpful

fred.s.mollenkopf
Level 7
Level 7
In response to modestusl

‎07-31-2006 05:50 AM

Proxy arp is the feature you need to use. But if you are doing a migration then more than likely just clearing the ARP cache on the perimeter router is all you need. You need to remember that the router is going to cache that entry and unless something like proxy arp tells it to update it's arp table or the cache timer runs out the traffic will still use the previous address.

Please rate any helpful posts

Thanks

Fred

modestusl
Level 1
Level 1
In response to fred.s.mollenkopf

‎08-03-2006 07:14 PM

Hi Guys,

Is there any command which I can use on the CISCO ASA in order to force a broadcast (to the router) its outside interface MAC Address with all the NATed (Static) IP addresses?

Regards,

Modestus

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card