Guest

Cisco Adaptive Security Appliance (ASA) Software

ASA FAQ: Why does the ASA reply to ARP requests for other IP addresses in the subnet?

Techzone Article content

Document ID: 116154

Updated: Jun 06, 2013

Contributed by Jay Johnston, Srinivasa Munagala, and Tripat Datta, Cisco TAC Engineers.

   Print

Introduction

This document describes why the Cisco Adaptive Security Appliance (ASA) might respond to the Address Resolution Protocol (ARP) requests for other IP addresses on the network. The ASA responds to ARP requests for IP addresses other than the ASA's interface.

Why does the ASA reply to ARP requests for other IP addresses in the subnet?

The Network Address Translation (NAT) configuration on the ASA might cause it to respond to ARP requests for IP addresses other than the ASA's interface IP address.

Example Problem Scenario:

Consider an Ethernet segment which has devices attached in the 10.0.1.x/24 network. The ASA's inside interface is addressed at 10.0.1.1. Whenever an ARP request for 10.0.1.47 is initiated from 10.0.1.48, the ASA replies with an ARP reply that contains its own interface hardware address. Further investigation reveals that the ASA replies to requests for multiple IP addresses in the subnet.

In this specific case, the NAT configuration on the ASA causes the behavior.

If you add the keyword no-proxy-arp to specific NAT commands, the ASA will not respond to ARP requests for the global IP subnet identified in those NAT statements.

In this example, these NAT commands cause the ASA to respond to any ARP request in the 10.0.1.x/24 and 10.0.2.x/24 subnets on the inside interface network. These commands were probably added to the ASA's configuration to support an overlapping NAT scenario:

nat (inside,inside) source static obj-10.0.1.0 obj-10.0.1.0 
destination static obj-10.0.2.0 obj-10.0.2.0
nat (inside,inside) source static obj-10.0.2.0 obj-10.0.2.0
destination static obj-10.0.1.0 obj-10.0.1.0

With the no-proxy-arp keyword added to these NAT configuration lines, the ASA no longer responds to ARP requests for those subnets.

nat (inside,inside) source static obj-10.0.1.0 obj-10.0.1.0 
destination static obj-10.0.2.0 obj-10.0.2.0 no-proxy-arp
nat (inside,inside) source static obj-10.0.2.0 obj-10.0.2.0
destination static obj-10.0.1.0 obj-10.0.1.0 no-proxy-arp

Related Information

Updated: Jun 06, 2013
Document ID: 116154