The LAN interface of the internet router is connected to a layer 2 switch. There are many gateways (Firewalls) are connected to this Switch. We connected the ASA Firewall outside interface to this switch. We do have web servers behind the ASA Firewall and we configured static NAT on the firewall for these Servers. The Internet Router is not configured with any static-routes to route the Web Server traffic to the Firewall.
Can we configure the CISCO ASA Firewall to reply with it?s outside MAC Address for the ARP requests from the router for the public IP addresses (NATed) of the Web Servers?
Note: Customer is not willing to change any configuration on the Router to add the static-routes. The existing WatchGuard can work on his current environment and he is thinking of replacing this Firewall with the CISCO ASA Firewall due to some performance issue.
If the NATed IPs are in the same subnet as the PIXs outside interface, then you don't need to configure anything special for this to occur other than a Static translation. When you create the translation the PIX will automatically reply to ARP requests with addresses it is maintaining in it's translation table. I'm not entirely sure if it will do it for a set of addresses from another subnet then the outside interface though. The first one I've done before.
Hi ... the ASA by default responds to ARP request for any statics configured on any of its interfaces. As long as the global IP that is being used is on the same network of one of its interfaces, otherwise you need to add one static route on your Internet router.
Please see the below explanation about proxy arp.
" When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the
MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A
host sends an ARP request asking ?Who is this IP address?? The device owning the IP address replies,
?I own that IP address; here is my MAC address.?
Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the
device does not own the IP address.
The security appliance uses proxy ARP when you configure NAT and specify a global address that is on the same network as the security appliance interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses"
I tried configuring Static NAT on the ASA Firewall, and replace the existing Watchguard Firewall with the ASA, but I found that the Perimeter Router is not redirecting the Web requests to the ASA. I suspect due to the ARP cache on the router it is trying to redirect the traffic to the previous Firewall MAC address.
As I metioned before due to some reasons the Static Routes cannot be configures on the Perimeter Router.
How can I configure the ASA to broadcast its MAC address to the perimeter Router for the NATed IP addresses (global IPs) of the Web Servers?
I did simulate the environment in my lab with static route configured on the perimeter router, it works fine with the ASA. But I cannot use static route in my customer's environment.
Proxy arp is the feature you need to use. But if you are doing a migration then more than likely just clearing the ARP cache on the perimeter router is all you need. You need to remember that the router is going to cache that entry and unless something like proxy arp tells it to update it's arp table or the cache timer runs out the traffic will still use the previous address.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :