kaa4re
asked on
Two Cisco asa's in one WAN subnet.
Hi!
I'm having a bit of a challenge with my two asa's.
My setup is as follows:
(example IP's obviously)
WAN SWITCH Gi0/1 1.1.1.1/24 > Cisco ASA1 5512x Gig0/0 1.1.1.2/24
WAN SWITCH Gi0/2 1.1.1.1/24 > Cisco ASA2 5510 Gig0/0 1.1.1.251/24
On asa 1 i've got several 1 to 1 nat rules, so i use from 1.1.1.2 to 1.1.1.35.
On asa 2 I've got only a couple of 1 to 1, i use ip's 1.1.1.248 to 1.1.1.251
All this have been working fine for a long time, but yesterday I ran into a problem.
Installed a new server behind asa 1 if dmz-admin 2.2.2.1/24 Server: 2.2.2.10/24
did the following:
object network
host 2.2.2.10
nat (dmz-admin,outside) static 1.1.1.36
This should be enough, and the same setup work for several servers in my (nameif)dmz-admin interface.
Of course, the firewall rules are in place, same as the other servers.
What i then discovered was, when i do a show arp on the ASA1 i see the 1.1.1.36 addres with the MAC address of outside IF on ASA2.
I've never used addresses below 1.1.1.200 on my ASA2, and today i only use three.
Does anybody have any idea about how this works? I can't see any reasons why ASA2 would tell anyone it has 1.1.1.36, and it doesn't show up in any other mac-address-table or arp table on that subnet.
I've never actually done a traffic dump on the WAN interface, because of intense traffic, but I expect it works as follows:
1: Request for 1.1.1.36 enters my ISP's switch.
2: ISP-switch sends ARP
3: Asa with 1.1.1.36 replies.
Or is it something i've missed?
Thanks
I'm having a bit of a challenge with my two asa's.
My setup is as follows:
(example IP's obviously)
WAN SWITCH Gi0/1 1.1.1.1/24 > Cisco ASA1 5512x Gig0/0 1.1.1.2/24
WAN SWITCH Gi0/2 1.1.1.1/24 > Cisco ASA2 5510 Gig0/0 1.1.1.251/24
On asa 1 i've got several 1 to 1 nat rules, so i use from 1.1.1.2 to 1.1.1.35.
On asa 2 I've got only a couple of 1 to 1, i use ip's 1.1.1.248 to 1.1.1.251
All this have been working fine for a long time, but yesterday I ran into a problem.
Installed a new server behind asa 1 if dmz-admin 2.2.2.1/24 Server: 2.2.2.10/24
did the following:
object network
host 2.2.2.10
nat (dmz-admin,outside) static 1.1.1.36
This should be enough, and the same setup work for several servers in my (nameif)dmz-admin interface.
Of course, the firewall rules are in place, same as the other servers.
What i then discovered was, when i do a show arp on the ASA1 i see the 1.1.1.36 addres with the MAC address of outside IF on ASA2.
I've never used addresses below 1.1.1.200 on my ASA2, and today i only use three.
Does anybody have any idea about how this works? I can't see any reasons why ASA2 would tell anyone it has 1.1.1.36, and it doesn't show up in any other mac-address-table or arp table on that subnet.
I've never actually done a traffic dump on the WAN interface, because of intense traffic, but I expect it works as follows:
1: Request for 1.1.1.36 enters my ISP's switch.
2: ISP-switch sends ARP
3: Asa with 1.1.1.36 replies.
Or is it something i've missed?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Because Cisco kit without proxy arp disabled like to think they know everything.
ASKER
Called ISP, cleared mac-table on switch, all is well.
Now working to figure out why the ASA did this.