asa/arp/nat question

Will an asa return an arp for something other than its outside interface. Say the outside interface is 10.1.1.1 and there is a server on the inside that is 172.16.1.1 but it is natted to 10.1.1.2. If i was on the 10.1.1.x network and sent a packet looking for 10.1.1.2 would the asa return the packet or would it block it

Find more posts tagged with

Comments

Ahriakin

By default it will Proxy-Arp for the NAT'd server (You can disable this with a Sysopt command), whether it allows the packet or not is just down to your outside-in ACL. Proxy-Arp really is a core component of NAT.

fightclub34

Ahriakin,

So something on the same vlan as the outside interface of the pix will be able to arp(find) an ip that is behind the firewall but being natted wth an ip address in the same subnet as itself and the outside interface.

Sorry for the weird wording it's hard to explain

tim100

fightclub34 wrote: »

So something on the same vlan as the outside interface of the pix will be able to arp(find) an ip that is behind the firewall but being natted wth an ip address in the same subnet as itself and the outside interface.

Sorry for the weird wording it's hard to explain

Yes, as Ahriakin stated regarding proxy arp. A host on subnet 10.1.1.x would send an Arp request for the hardware address of any host on the 10.1.1.x subnet. If the firewall is configured to use one of these addresses for NAT it will send an Arpy reply with it's hardware address, accept the packet and in turn translate the IP.