ASA FAQ: Why does the ASA reply to ARP requests for other IP addresses in the subnet?

Available Languages

Updated:June 6, 2013
Document ID:116154

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes why the Cisco Adaptive Security Appliance (ASA) might respond to the Address Resolution Protocol (ARP) requests for other IP addresses on the network. The ASA responds to ARP requests for IP addresses other than the ASA's interface.

Why does the ASA reply to ARP requests for other IP addresses in the subnet?

The Network Address Translation (NAT) configuration on the ASA might cause it to respond to ARP requests for IP addresses other than the ASA's interface IP address.

Example Problem Scenario:

Consider an Ethernet segment which has devices attached in the 10.0.1.x/24 network. The ASA's inside interface is addressed at 10.0.1.1. Whenever an ARP request for 10.0.1.47 is initiated from 10.0.1.48, the ASA replies with an ARP reply that contains its own interface hardware address. Further investigation reveals that the ASA replies to requests for multiple IP addresses in the subnet.

In this specific case, the NAT configuration on the ASA causes the behavior.

If you add the keyword no-proxy-arp to specific NAT commands, the ASA will not respond to ARP requests for the global IP subnet identified in those NAT statements.

In this example, these NAT commands cause the ASA to respond to any ARP request in the 10.0.1.x/24 and 10.0.2.x/24 subnets on the inside interface network. These commands were probably added to the ASA's configuration to support an overlapping NAT scenario:

nat (inside,inside) source static obj-10.0.1.0 obj-10.0.1.0 
destination static obj-10.0.2.0 obj-10.0.2.0
nat (inside,inside) source static obj-10.0.2.0 obj-10.0.2.0 
destination static obj-10.0.1.0 obj-10.0.1.0

With the no-proxy-arp keyword added to these NAT configuration lines, the ASA no longer responds to ARP requests for those subnets.

nat (inside,inside) source static obj-10.0.1.0 obj-10.0.1.0 
destination static obj-10.0.2.0 obj-10.0.2.0 no-proxy-arp
nat (inside,inside) source static obj-10.0.2.0 obj-10.0.2.0 
destination static obj-10.0.1.0 obj-10.0.1.0 no-proxy-arp

Related Information

Revision History

Revision Publish Date Comments
1.0
06-Jun-2013
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Jay Johnston, Srinivasa Munagala, and Tripat Datta
    Cisco TAC Engineers.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products