Any ideas on proxyarp on ASA, folks? I've been always curious how the ASA works when it is configured with "sysopt noproxyarp outside". I thought that this option would still be required if the ASA is connected to ISP which assigned two public IP addresses to you. Since the ASA doesn't have a way to configure the secondary IP address you do it with static NAT or identity NAT and proxyarp would kick in and reply with the MAC address of the outside interface for ARP request sent to the IP other than the primary IP of the outside interface.
I.e. ASA outside interface is configured with XXX.XXX.XXX.100 At the same time ISP assigned the client the other IP which is XXX.XXX.XXX.101 The ASA is configured with static NAT: Static (inside,outside) XXX.XXX.XXX.101 192.168.1.101 netmask 255.255.255.255 Then when the connection is made to the IP XXX.XXX.XXX.101 the ASA replies with the MAC address for ARP request with the help of proxyarp and things run smoothly. But when I remove proxyarp from the outside interface running "sysopt noproxyarp outside" the access to the secondary IP XXX.XXX.XXX.101 still works. Can anyone explains me why it happens and how everything works in this case ? Eugene _____________________________________________ From: Eugene Pefti [mailto:[email protected]] Sent: Thursday, November 18, 2010 9:14 PM To: [email protected] Subject: ASA proxyarp question, Yusuf lab 1, question 8.3 And secondly, Why in the same question that doesn't have any specific requirements of where to disable proxyarp feature Yusuf disables it on the outside interface only? Question 8.2: Preventing unauthorized connections (2 points) Configure the ASA1/abc1 context to prevent unauthorized connections, meeting all the following requirements: - Configure the ASA1/abc1 context to send TCP resets (the TCP RST flag in the TCP header) to the denied host for any inbound TCP sessions that are denied by the firewall. - In addition, configure the ASA1/abc1 context to disable the proxy ARP function and stop responding to any ARP request with its own MAC address, thus limiting exposure of its MAC address. And the answer is ASA1/abc1# show run sysopt sysopt noproxyarp outside Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
