asa/arp/nat question

fightclub34fightclub34 Member Posts: 41 ■■□□□□□□□□
in CCNP Security
Will an asa return an arp for something other than its outside interface. Say the outside interface is 10.1.1.1 and there is a server on the inside that is 172.16.1.1 but it is natted to 10.1.1.2. If i was on the 10.1.1.x network and sent a packet looking for 10.1.1.2 would the asa return the packet or would it block it
· Share on FacebookShare on Twitter

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    By default it will Proxy-Arp for the NAT'd server (You can disable this with a Sysopt command), whether it allows the packet or not is just down to your outside-in ACL. Proxy-Arp really is a core component of NAT.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
  • fightclub34fightclub34 Member Posts: 41 ■■□□□□□□□□
    Ahriakin,

    So something on the same vlan as the outside interface of the pix will be able to arp(find) an ip that is behind the firewall but being natted wth an ip address in the same subnet as itself and the outside interface.

    Sorry for the weird wording it's hard to explain
    · Share on FacebookShare on Twitter
  • tim100tim100 Member Posts: 162
    fightclub34 wrote: »
    So something on the same vlan as the outside interface of the pix will be able to arp(find) an ip that is behind the firewall but being natted wth an ip address in the same subnet as itself and the outside interface.

    Sorry for the weird wording it's hard to explain

    Yes, as Ahriakin stated regarding proxy arp. A host on subnet 10.1.1.x would send an Arp request for the hardware address of any host on the 10.1.1.x subnet. If the firewall is configured to use one of these addresses for NAT it will send an Arpy reply with it's hardware address, accept the packet and in turn translate the IP.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.