Cisco ASA Series Cli Configuration Manual page 767

Chapter 1 Information About NAT
Figure 1-14
Figure 1-15
Transparent Mode Routing Requirements for Remote Networks
When you use NAT in transparent mode,some types of traffic require static routes. See the
Address vs. Route Lookups" section on page 4-5
Proxy ARP Problems with Identity NAT
Inside
Identity NAT for
"any" with Proxy ARP
In rare cases, you need proxy ARP for identity NAT; for example for virtual Telnet. When using
AAA for network access, a host needs to authenticate with the ASA using a service like Telnet
before any other traffic can pass. You can configure a virtual Telnet server on the ASA to provide
the necessary login. When accessing the virtual Telnet address from the outside, you must configure
an identity NAT rule for the address specifically for the proxy ARP functionality. Due to internal
processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet
address rather than send the traffic out the source interface according to the NAT rule. (See
Figure 1-15).
Proxy ARP and Virtual Telnet
Virtual Telnet:
209.165.200.230
Inside
Server
Identity NAT for
209.165.200.230
between inside and outside
with Proxy ARP
209.165.200.230
209.165.200.225
Outside
ARP for 209.165.200.230.
Proxy ARP for 209.165.200.230.
Traffic incorrectly sent to ASA.
Outside
Telnet to 209.165.200.230.
Authenticate.
Communicate with server.
for more information.
Cisco ASA Series CLI Configuration Guide
Routing NAT Packets
3
ARP Response
Too late
209.165.200.231
1
2
4
209.165.201.11
1
2
3
"MAC
1-21