The Same Address As The Real Address (Identity Nat) - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 10
NAT Examples and Reference
The Same Address as the Real Address (Identity NAT)
The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can
disable proxy ARP if desired. You can also disable proxy ARP for regular static NAT if desired, in which
case you need to be sure to have proper routes on the upstream router.
Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues.
For example, if you configure a broad identity NAT rule for "any" IP address, then leaving proxy ARP
enabled can cause problems for hosts on the network directly connected to the mapped interface. In this
case, when a host on the mapped network wants to communicate with another host on the same network,
then the address in the ARP request matches the NAT rule (which matches "any" address). The ASA will
then proxy ARP for the address, even though the packet is not actually destined for the ASA. (Note that
this problem occurs even if you have a twice NAT rule; although the NAT rule must match both the
source and destination addresses, the proxy ARP decision is made only on the "source" address). If the
ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent
to the ASA (see the following figure).
Figure 10-10
"any" with Proxy ARP
In rare cases, you need proxy ARP for identity NAT; for example for virtual Telnet. When using AAA
for network access, a host needs to authenticate with the ASA using a service like Telnet before any other
traffic can pass. You can configure a virtual Telnet server on the ASA to provide the necessary login.
When accessing the virtual Telnet address from the outside, you must configure an identity NAT rule for
the address specifically for the proxy ARP functionality. Due to internal processes for virtual Telnet,
proxy ARP lets the ASA keep traffic destined for the virtual Telnet address rather than send the traffic
out the source interface according to the NAT rule. (See the following figure).
Proxy ARP Problems with Identity NAT
209.165.200.225
Inside
Identity NAT for
Traffic incorrectly sent to ASA.
209.165.200.230
ARP Response
Too late
209.165.200.231
Outside
ARP for 209.165.200.230.
Proxy ARP for 209.165.200.230.
Cisco ASA Series Firewall CLI Configuration Guide
Routing NAT Packets
3
1
2
4
10-13
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
