question01
asked on
Proxy ARPs on ASAs
How do proxy arps work on the ASA?
If I have the following setup.
external host ---------- (outside) | ASA| (inside)---------- internal host
external host: 192.168.1.2
asa outside interface: 192.168.1.1
asa inside interface: 10.0.1.1
internal host: 10.0.1.2
I nat the internal host to 10.0.2.2 using a static nat
static (inside,outside) 10.0.1.2 10.0.2.2 netmask 255.255.255.255
My question, how does the proxy arp work.
If the external host is trying to access the internal host 10.0.1.2 through its nat address 10.0.2.2 does the ASA do a proxy arp for 10.0.1.2?
I have set up the lab as above and turned on sysopt noproxyarp outside, cleared the arp tables and can still access the inside host through its nat address.
Can anyone explain how the proxy arps work.
If I have the following setup.
external host ---------- (outside) | ASA| (inside)---------- internal host
external host: 192.168.1.2
asa outside interface: 192.168.1.1
asa inside interface: 10.0.1.1
internal host: 10.0.1.2
I nat the internal host to 10.0.2.2 using a static nat
static (inside,outside) 10.0.1.2 10.0.2.2 netmask 255.255.255.255
My question, how does the proxy arp work.
If the external host is trying to access the internal host 10.0.1.2 through its nat address 10.0.2.2 does the ASA do a proxy arp for 10.0.1.2?
I have set up the lab as above and turned on sysopt noproxyarp outside, cleared the arp tables and can still access the inside host through its nat address.
Can anyone explain how the proxy arps work.
Unless you have a really special circumstance(like a read-only archive), the share permissions are mostly just an administrative headache. It provides a second point to ensure that something didn't get missed on the NTFS side, but it also eliminates flexibility on the NTFS side.
Here is an MS page with some guidelines:
http://technet.microsoft.com/en-us/library/cc754178.aspx
One thing to consider, when profile folders are created automatically, only the User and System have permissions and they both have full control. I've been told that the user needs to have Full Control for everything to work, but I don't have a concrete example of a failure. If it is a requirement, then you would need to grant the user full control at the share level as well.
Here is an MS page with some guidelines:
http://technet.microsoft.com/en-us/library/cc754178.aspx
One thing to consider, when profile folders are created automatically, only the User and System have permissions and they both have full control. I've been told that the user needs to have Full Control for everything to work, but I don't have a concrete example of a failure. If it is a requirement, then you would need to grant the user full control at the share level as well.
Somehow that last post was sent to the wrong question, please ignore.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK thanks for the explanation people.
TX, thanks for that. That article and your explanation helped alot. Looks like I was getting my wires a bit crossed.
A proxy arp is simply a layer 3 devices acting as a proxy for an arp request for a machine that sits off another interface as the arp request broadcast would not normall make it through the layer 3 device.
Still one slight point of confusion. Why would you use a proxy arp rather than just routing the traffic through at layer 3?
TX, thanks for that. That article and your explanation helped alot. Looks like I was getting my wires a bit crossed.
A proxy arp is simply a layer 3 devices acting as a proxy for an arp request for a machine that sits off another interface as the arp request broadcast would not normall make it through the layer 3 device.
Still one slight point of confusion. Why would you use a proxy arp rather than just routing the traffic through at layer 3?
ASKER
Hang on thing I got my answer for that previous comment.
from the article
"Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence."
Can you give an example of where this would be used?
from the article
"Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence."
Can you give an example of where this would be used?
ASKER
question continued at https://www.experts-exchange.com/questions/24856768/ASA-Proxy-ARPS.html
static (inside,outside) 10.0.1.2 192.168.1.2 netmask 255.255.255.255
The proxyarp feature works as you are thinking, I'm assuming you expected the NAT to fail after you issued 'sysopt noproxyarp outside', and you are right. It shouldn't be working. If proxyarp is enabled, the the ASA responds to arps for any IP address that has a static/global/nat defined for it. It responds with it's own external MAC address so the arp'ing client knows that it should send traffic the ASA's direction. If you do 'sysopt noproxyarp outside', the ASA will only respond to ARP request for it's actual interfaces, and thus communication from the outside to the inside host should fail.
Can you reconfirm it is working, then run 'show running-config sysopt' and post the results?