[c-nsp] general nat issue (not cisco)

Rama Darbha rdarbha at gmail.com
Sun Jun 26 10:16:50 EDT 2011


Mick,

In general, proxy ARP can be disabled using the command "sysopt
noproxy <interface>". Its on by default.

After the NAT changes in the ASA code (versions 8.3 and 8.4), there
was some changes to the behaviour of proxy ARP when used with identity
NAT. These have been addresses in 8.4.2 with the command
"no-proxy-arp" which goes at the end of the NAT configuration.

Here is a guide that talks about it in more detail:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1165189

More specifically:
(8.4(2) and later) The default behavior for identity NAT has proxy ARP
enabled, matching other static NAT rules. You can disable proxy ARP if
desired. Note: You can also disable proxy ARP for regular static NAT
if desired, in which case you need to be sure to have proper routes on
the upstream router.

Regards,
Rama

On Sun, Jun 26, 2011 at 2:26 AM, Mick O'Rourke <mkorourke at gmail.com> wrote:
> Is proxy arp is disabled on the ASA?
>
> On 26/06/2011, Pete Lumbis <alumbis at gmail.com> wrote:
>> On Sat, Jun 25, 2011 at 8:49 PM, Aaron Riemer <ariemer at amnet.net.au> wrote:
>>
>>> How does the cisco ASAs take care of this problem?
>>>
>>>
>>>
>>>
>> The ASAs "own" the address so they will respond to any ARP requests for NAT
>> addresses.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
> --
> Sent from my mobile device
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list