Link to home
Start Free TrialLog in
Avatar of question01
question01Flag for Australia

asked on

Proxy ARPs on ASAs

How do proxy arps work on the ASA?

If I have the following setup.

external host ---------- (outside) | ASA| (inside)---------- internal host

external host: 192.168.1.2
asa outside interface: 192.168.1.1
asa inside interface: 10.0.1.1
internal host: 10.0.1.2

I nat the internal host to 10.0.2.2 using a static nat
static (inside,outside) 10.0.1.2 10.0.2.2 netmask 255.255.255.255

My question, how does the proxy arp work.
If the external host is trying to access the internal host 10.0.1.2 through its nat address 10.0.2.2 does the ASA do a proxy arp for 10.0.1.2?

I have set up the lab as above and turned on sysopt noproxyarp outside, cleared the arp tables and can still access the inside host through its nat address.

Can anyone explain how the proxy arps work.
Avatar of benhanson
benhanson

The internal host is 10.0.1.2/?  Are you using a class A inside?(10.0.0.0/8, 10.0.0.0 255.0.0.0)  At this point the scenario doesn't quite make sense.  I would expect the static to be from the 192.168.1.x subnet to the 10.x.x.x subnet:

static (inside,outside) 10.0.1.2 192.168.1.2 netmask 255.255.255.255

The proxyarp feature works as you are thinking, I'm assuming you expected the NAT to fail after you issued 'sysopt noproxyarp outside', and you are right.  It shouldn't be working.  If proxyarp is enabled, the the ASA responds to arps for any IP address that has a static/global/nat defined for it.  It responds with it's own external MAC address so the arp'ing client knows that it should send traffic the ASA's direction.  If you do 'sysopt noproxyarp outside', the ASA will only respond to ARP request for it's actual interfaces, and thus communication from the outside to the inside host should fail.

Can you reconfirm it is working, then run 'show running-config sysopt' and post the results?
Unless you have a really special circumstance(like a read-only archive), the share permissions are mostly just an administrative headache.  It provides a second point to ensure that something didn't get missed on the NTFS side, but it also eliminates flexibility on the NTFS side.

Here is an MS page with some guidelines:

http://technet.microsoft.com/en-us/library/cc754178.aspx

One thing to consider, when profile folders are created automatically, only the User and System have permissions and they both have full control.  I've been told that the user needs to have Full Control for everything to work, but I don't have a concrete example of a failure.  If it is a requirement, then you would need to grant the user full control at the share level as well.
Somehow that last post was sent to the wrong question, please ignore.
ASKER CERTIFIED SOLUTION
Avatar of Texas_Billy
Texas_Billy

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of question01

ASKER

OK thanks for the explanation people.

TX, thanks for that. That article and your explanation helped alot. Looks like I was getting my wires a bit crossed.  

A proxy arp is simply a layer 3 devices acting as a proxy for an arp request for a machine that sits off another interface as the arp request broadcast would not normall make it through the layer 3 device.

Still one slight point of confusion. Why would you use a proxy arp rather than just routing the traffic through at layer 3?




Hang on thing I got my answer for that previous comment.
from the article

"Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do not have any routing intelligence."

Can you give an example of where this would be used?