Руководство По Устранению Ошибки для Cisco Cisco ASA 5580 Adaptive Security Appliance
Problem: A NAT rule causes the ASA to Proxy Address Resolution
Protocol (ARP) for traffic on the mapped interface
Protocol (ARP) for traffic on the mapped interface
The ASA Proxy ARPs for the global IP address range in a NAT statement on the global interface. This Proxy
ARP functionality can be disabled on a per−NAT rule basis if you add the no−proxy−arp keyword to the
NAT statement.
ARP functionality can be disabled on a per−NAT rule basis if you add the no−proxy−arp keyword to the
NAT statement.
This problem is also seen when the global address subnet is inadvertently created to be much larger than it
was intended to be.
was intended to be.
Solution:
Add the no−proxy−arp keyword to the NAT line if possible.
Example:
ASA(config)# object network inside−server
ASA(config−network−object)# nat (inside,outside) static 172.18.22.1 no−proxy−arp
ASA(config−network−object)# end
ASA#
ASA# show run nat
object network inside−server
nat (inside,outside) static 172.18.22.1 no−proxy−arp
ASA#
This can be also accomplished with ASDM. Within the NAT rule, check the Disable Proxy ARP on egress
interface check box.
interface check box.
Related Information
VIDEO: ASA port forwarding for DMZ server access (versions 8.3 and 8.4)
•
Basic ASA NAT Configuration: Webserver in the DMZ in ASA Version 8.3 and later
•
Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1
•
Technical Support & Documentation − Cisco Systems
•
Updated: Jan 15, 2014
Document ID: 116388