Monday, September 12, 2011

Cisco ASA – Deny inbound (Type 0, Code 0)

This interesting issue I came about after looking into an ASA connected to pair of switches that did not have ARP snooping turned on. The error message below happened when trying to send ping (echo) to anything server in the same subnet.

3    Aug 29 2011    10:41:15    106014    X.X.X.X        X.X.X.Y        Deny inbound icmp src Secure:X.X.X.X dst Secure:X.X.X.Y (type 0, code 0);

After getting IP conflicts on servers in that subnet I read more about the Proxy Arp feature which is enabled by default. This feature is to respond on all arp requests to them to go through your ASA device. I could see this being very usable if you wanted to use IPS or force NAT translations on all traffic.

Here is the current help document for Proxy as of ASA Version 8.4.2 but make sure to check your ASA for up to date documentation.

Disabling Proxy ARPs
When a host sends IP traffic to another device on the same Ethernet network, the host needs to know the MAC address of the device. ARP is a Layer 2 protocol that resolves an IP address to a MAC address. A host sends an ARP request asking "Who is this IP address?" The device owning the IP address replies, "I own that IP address; here is my MAC address."

Proxy ARP is used when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The ASA uses proxy ARP when you configure NAT and specify a mapped address that is on the same network as the ASA interface. The only way traffic can reach the hosts is if the ASA uses proxy ARP to claim that the MAC address is assigned to destination mapped addresses.

Under rare circumstances, you might want to disable proxy ARP for NAT addresses.

If you have a VPN client address pool that overlaps with an existing network, the ASA by default sends proxy ARPs on all interfaces. If you have another interface that is on the same Layer 2 domain, it will see the ARP requests and will answer with the MAC address of its interface. The result of this is that the return traffic of the VPN clients towards the internal hosts will go to the wrong interface and will get dropped. In this case, you need to disable proxy ARPs for the interface on which you do not want proxy ARPs.

To disable proxy ARPs,perform the following steps:

1.Choose Configuration > Device Setup > Routing > Proxy ARPs.
The Interface field lists the interface names. The Proxy ARP Enabled field shows whether or not proxy ARP is enabled (Yes) or disabled (No) for NAT global addresses.

1.To enable proxy ARP for the selected interface, click Enable. By default, proxy ARP is enabled for all interfaces.
2.To disable proxy ARP for the selected interface, click Disable.
3.Click Apply to save your settings to the running configuration.

No comments: