The ASA exposes it's MAc address for proxy arps, DNS alias, static xlate. To prevent it, you need to configure it.
With regards Kings On Sat, Nov 20, 2010 at 1:25 AM, Eugene Pefti <[email protected]>wrote: > Any ideas on proxyarp on ASA, folks? > > I’ve been always curious how the ASA works when it is configured with “sysopt > noproxyarp outside”. > > I thought that this option would still be required if the ASA is connected > to ISP which assigned two public IP addresses to you. > > Since the ASA doesn’t have a way to configure the secondary IP address you > do it with static NAT or identity NAT and proxyarp would kick in and reply > with the MAC address of the outside interface for ARP request sent to the > IP other than the primary IP of the outside interface. > > I.e. ASA outside interface is configured with XXX.XXX.XXX.100 > > At the same time ISP assigned the client the other IP which is > XXX.XXX.XXX.101 > > The ASA is configured with static NAT: > > Static (inside,outside) XXX.XXX.XXX.101 192.168.1.101 netmask > 255.255.255.255 > > Then when the connection is made to the IP XXX.XXX.XXX.101 the ASA replies > with the MAC address for ARP request with the help of proxyarp and things > run smoothly. > > But when I remove proxyarp from the outside interface running “sysopt > noproxyarp outside” the access to the secondary IP XXX.XXX.XXX.101 still > works. > > Can anyone explains me why it happens and how everything works in this case > ? > > Eugene > > _____________________________________________ > *****From:* Eugene Pefti > [mailto:[email protected]<[email protected]> > ] > *****Sent:* Thursday, November 18, 2010 9:14 PM > *****To:* [email protected] > *****Subject:* ASA proxyarp question, Yusuf lab 1, question 8.3 > > And secondly, > > Why in the same question that doesn’t have any specific requirements of > where to disable proxyarp feature Yusuf disables it on the outside interface > only? > > *****Question 8.2: Preventing unauthorized connections (2 points)* > > Configure the ASA1/abc1 context to prevent unauthorized connections, > meeting all the following requirements: > > - Configure the ASA1/abc1 context to send TCP resets (the TCP RST > flag in the TCP header) to the denied host for any inbound TCP sessions that > are denied by the firewall. > > - In addition, configure the ASA1/abc1 context to disable the proxy > ARP function and stop responding to any ARP request with its own MAC > address, thus limiting exposure of its MAC address. > > And the answer is > > ASA1/abc1#***** show run sysopt* > > sysopt noproxyarp outside > > Eugene > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
