Cisco ASA 5505 User Manual
Page 577
29-23
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
Routing NAT Packets
the NAT rule must match both the source and destination addresses, the proxy ARP decision is made
only on the “source” address). If the ASA ARP response is received before the actual host ARP
response, then traffic will be mistakenly sent to the ASA (see
Figure 29-20
Proxy ARP Problems with Identity NAT
In rare cases, you need proxy ARP for identity NAT; for example for virtual Telnet. When using
AAA for network access, a host needs to authenticate with the ASA using a service like Telnet
before any other traffic can pass. You can configure a virtual Telnet server on the ASA to provide
the necessary login. When accessing the virtual Telnet address from the outside, you must configure
an identity NAT rule for the address specifically for the proxy ARP functionality. Due to internal
processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet
address rather than send the traffic out the source interface according to the NAT rule. (See
).
Figure 29-21
Proxy ARP and Virtual Telnet
209.165.200.225
209.165.200.230
209.165.200.231
Identity NAT for
“any” with Proxy ARP
Outside
Inside
1
2
4
ARP for 209.165.200.230.
Traffic incorrectly sent to ASA.
Proxy ARP for 209.165.200.230.
3
ARP Response
Too late
209.165.201.11
Virtual Telnet:
209.165.200.230
Identity NAT for
209.165.200.230
between inside and outside
with Proxy ARP
Outside
Inside
Server
1
2
3
Telnet to 209.165.200.230.
Communicate with server.
Authenticate.