Mar 27, 2013

arp permit-nonconnected


You have a NAT block on your firewall but it is not a directly connected subnet. It used to work, but after upgrading to 8.4 it doesn't work anymore. What happened?

From CSCty95468 Bug Details:

Symptom:

As a security device, Adaptive Security Appliance (ASA) will not populate its Address Resolution Protocol (ARP) table with entries from non-directly-connected subnets. Furthermore, the ASA will not issue ARP requests for hosts on such subnets. This secure behavior may cause issues with suboptimal network configurations where a device is expected to process ARP packets to and from non-directly-connected subnets (as configured locally).

This enhancement request is filed to request a configuration command that would disable this security check and allow the ASA to process ARP packets to and from non-directly-connected subnets. This command should be used with caution as it reduces the level of protection that the ASA provides.

Workaround:

Configure adjacent routing devices to forward traffic without reliance on Proxy ARP.


After upgrading to 8.4, you must have static routes on the ISP gateway pointing to the ASA outside interface for any NAT block not directly connected, because it won't reply to ARP requests by default. If you have upgraded to 8.4.5 or later, you can use the arp permit-nonconnected command to have the same behavior as you had before the upgrade.

10 comments:

  1. Hi Renato,

    Great post! Anyone here in the UK who needs to run a BT Business Hub 3 is going to his this problem due to the way the ISP lease public addresses. This post was instrumental in the following resolution;
    http://www.petenetlive.com/KB/Article/0000762.htt
    Many Thanks

    Pete

    ReplyDelete
    Replies
    1. Pete, I'm glad to hear that my post was helpful. Thank you very much for your feedback!

      Delete
  2. Awesome post. I'm converting an edge network to BGP with multiple blocks and I tested based on this information. AWESOME!!!!!

    ReplyDelete
    Replies
    1. It's really good to hear that. Thanks for the feedback!

      Delete
  3. This post has been a lifesaver. Thanks!

    ReplyDelete
  4. Hello Renato,

    Thanks for your post. I ran a replacement of an ASA 5520 to 5525X. Dynamic NAts work well but static nat are not working in production. My NATs statements seem correct. Can you guide me if it is really the ARP issue.

    Thanks

    ReplyDelete
    Replies
    1. Sure, but I need to know what rules you have in place. Are you using no proxy Arp option?

      Delete
  5. Does this apply to internal networks as well? Internal VLANS that not directly connected to firewalls?

    Thanks for post!

    ReplyDelete
    Replies
    1. As we usually have static routes for internal subnets, it doesn't rely on ARP to have layer two communication working. However, if you have NAT rules for internal traffic similar to external public/private NATs, then the same behavior is expected.

      Delete