asa/arp/nat question
fightclub34
Member Posts: 41 ■■□□□□□□□□
Will an asa return an arp for something other than its outside interface. Say the outside interface is 10.1.1.1 and there is a server on the inside that is 172.16.1.1 but it is natted to 10.1.1.2. If i was on the 10.1.1.x network and sent a packet looking for 10.1.1.2 would the asa return the packet or would it block it
Comments
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□By default it will Proxy-Arp for the NAT'd server (You can disable this with a Sysopt command), whether it allows the packet or not is just down to your outside-in ACL. Proxy-Arp really is a core component of NAT.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
fightclub34 Member Posts: 41 ■■□□□□□□□□Ahriakin,
So something on the same vlan as the outside interface of the pix will be able to arp(find) an ip that is behind the firewall but being natted wth an ip address in the same subnet as itself and the outside interface.
Sorry for the weird wording it's hard to explain -
tim100 Member Posts: 162fightclub34 wrote: »So something on the same vlan as the outside interface of the pix will be able to arp(find) an ip that is behind the firewall but being natted wth an ip address in the same subnet as itself and the outside interface.
Sorry for the weird wording it's hard to explain
Yes, as Ahriakin stated regarding proxy arp. A host on subnet 10.1.1.x would send an Arp request for the hardware address of any host on the 10.1.1.x subnet. If the firewall is configured to use one of these addresses for NAT it will send an Arpy reply with it's hardware address, accept the packet and in turn translate the IP.