Entering ipv6 addresses in commands, Disabling proxy arps – Cisco ASA 5505 User Manual

Page 445

Advertising
background image

21-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 21 Routing Overview

Disabling Proxy ARPs

Entering IPv6 Addresses in Commands

When entering IPv6 addresses in commands that support them, enter the IPv6 address using standard
IPv6 notation, for example:

ping fe80::2e0:b6ff:fe01:3b7a

.

The ASA correctly recognizes and processes the IPv6 address. However, you must enclose the IPv6
address in square brackets ([ ]) in the following situations:

You need to specify a port number with the address, for example:

[fe80::2e0:b6ff:fe01:3b7a]:8080

.

The command uses a colon as a separator, such as the write net command and config net command,
for example:

configure net [fe80::2e0:b6ff:fe01:3b7a]:/tftp/config/asaconfig

.

Disabling Proxy ARPs

When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the
MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A
host sends an ARP request asking “Who is this IP address?” The device owning the IP address replies,
“I own that IP address; here is my MAC address.”

Proxy ARP is used when a device responds to an ARP request with its own MAC address, even though
the device does not own the IP address. The ASA uses proxy ARP when you configure NAT and specify
a mapped address that is on the same network as the ASA interface. The only way traffic can reach the
hosts is if the ASA uses proxy ARP to claim that the MAC address is assigned to destination mapped
addresses.

Under rare circumstances, you might want to disable proxy ARP for NAT addresses.

If you have a VPN client address pool that overlaps with an existing network, the ASA by default sends
proxy ARPs on all interfaces. If you have another interface that is on the same Layer 2 domain, it will
see the ARP requests and will answer with the MAC address of its interface. The result of this is that the
return traffic of the VPN clients towards the internal hosts will go to the wrong interface and will get
dropped. In this case, you need to disable proxy ARPs for the interface on which you do not want proxy
ARPs.

To disable proxy ARPs, enter the following command:

Command

Purpose

sysopt noproxyarp

interface

Example:

hostname(config)# sysopt noproxyarp exampleinterface

Disables proxy ARPs.

Advertising