Sunday, October 4, 2020

Cisco ASA Firewall 'no-proxy-arp' Command

I was troubleshooting a Context-based (Multiple Mode) Cisco ASA Firewall and noticed the upstream Internet edge router had duplicate ARP entries or MAC address coming from the ASA Context "outside" interfaces. This caused the traffic on some downstream devices to be intermittent or unstable. I initially thought it was a software bug since I recently upgraded the ASA version but most of the time, an issue or an outage might be caused by a recent configuration change.

I discovered one of the newly created ASA Context had an Identity NAT from "all source" to "all destination" was misconfigured by one of the admin (scary command!). I suspected it was configured as such since both the "inside" and "outside" interfaces were configured with a public IP address and thought of the old 8.2 NAT (NAT exemption). So I put the NAT keyword no-proxy-arp at the end, cleared the ARP table and issue was resolved.

The behavior in a Cisco ASA NAT is that it can respond to ARP requests for IP addresses other than the ASA's interface IP address. If you add the keyword no-proxy-arp to specific NAT commands (best practice), the ASA will not respond to ARP requests for the global IP subnet identified in those NAT statements.


INTERNET_ROUTER#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 80.25.22.150 118 a20f.0c00.0004 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.151 118 a20f.0c00.0005 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.152 225 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.153 162 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.154 118 a20f.0c00.0020 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.155 118 a20f.0c00.0021 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.156 248 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0
Internet 80.25.22.157 231 a20f.0c00.00f8 ARPA TenGigabitEthernet0/0/0 


ciscoasa/pri/act/CUSTA# show arp
 outside 80.25.22.130 a03d.6f2e.7000 6
 outside 80.25.22.129 0000.0c9f.f004 6
 outside 80.25.22.235 001b.1700.0110 32
 outside 80.25.22.151 a20f.0c00.0005 158
 outside 80.25.22.147 a20f.0c00.0017 158
 outside 80.25.22.135 a20f.0c00.000b 158
 outside 80.25.22.149 a20f.0c00.001b 158
 outside 80.25.22.159 a20f.0c00.0025 158
 outside 80.25.22.155 a20f.0c00.0021 158
 outside 80.25.22.139 a20f.0c00.0029 158
 outside 80.25.22.169 a20f.0c00.002d 158
 inside 80.25.21.67 5087.89b8.db00 13196
 inside 80.25.21.66 a20f.0c00.00fb 13706


ciscoasa/pri/act/CUSTA# show run nat
nat (inside,outside) source static all all destination static all all
ciscoasa/pri/act/CUSTA#
ciscoasa/pri/act/CUSTA# configure terminal
ciscoasa/pri/act/CUSTA(config)# nat (inside,outside) source static all all destination static all all ?                    
configure mode commands/options:
  description     Specify NAT rule description
  inactive        Disable a NAT rule
  net-to-net      Net to net mapping of IPv4 to IPv6
  no-proxy-arp    Disable proxy ARP on egress interface
  route-lookup    Perform route lookup for this rule
  service         NAT service parameters
  unidirectional  Enable per-session NAT
  <cr>


ciscoasa/pri/act/CUSTA(config)# nat (inside,outside) source static all all destination static all all no-proxy-arp
ciscoasa/pri/act/CUSTA(config)# show run nat
nat (inside,outside) source static all all destination static all all no-proxy-arp

ciscoasa/pri/act/CUSTA(config)#
ciscoasa/pri/act/CUSTA(config)# clear arp
ciscoasa/pri/act/CUSTA(config)#
ciscoasa/pri/act/CUSTA(config)# show arp
ciscoasa/pri/act/CUSTA(config)# <BLANK>

 

No comments:

Post a Comment