Cisco ASA's still have proxy ARP enabled by default when certain NAT
types are configured.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html
"Default Settings
(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has
proxy ARP disabled.
You cannot configure this setting. (8.4(2) and later) The default
behavior for identity NAT has proxy ARP enabled, matching other static
NAT rules.
You can disable proxy ARP if desired. See the "Routing NAT Packets"
section for more information."
On 1/15/2014 7:54 PM, Eric Rosen wrote:
Cisco PIX's used to do this if the firewall had a route and saw a ARP request
in that IP range it would proxy arp.
----- Original Message -----
On Jan 15, 2014, at 4:03 PM, Niels Bakker <niels=na...@bakker.net> wrote:
* c...@bloomcounty.org (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
This is where theory diverges nicely from practice. In some cases the
offender broadcast his reply, and guess what else? A lot of routers
listen to unsolicited ARP replies.
I've never seen this. Please name vendor and product, if only so other
subscribers to this list can avoid doing business with them.
This was some time ago, but the two I was able to dig up from that case were
both Junipers. Perhaps it’s something that only happens when proxy ARP is
enabled?
-c
--
Vlade Ristevski
Network Manager
IT Services
Ramapo College
(201)-684-6854
