Proxy ARP detection

Vlade Ristevski vristevs at
Thu Jan 16 16:46:07 UTC 2014

Cisco ASA's still have proxy ARP enabled by default when certain NAT 
types  are configured.

"Default Settings

(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has 
proxy ARP disabled.
You cannot configure this setting. (8.4(2) and later) The default 
behavior for identity NAT has proxy ARP enabled, matching other static 
NAT rules.
You can disable proxy ARP if desired. See the "Routing NAT Packets" 
section for more information."

On 1/15/2014 7:54 PM, Eric Rosen wrote:
> Cisco PIX's used to do this if the firewall had a route and saw a ARP request in that IP range it would proxy arp.
> ----- Original Message -----
>> On Jan 15, 2014, at 4:03 PM, Niels Bakker <niels=nanog at> wrote:
>>> * clay at (Clay Fiske) [Thu 16 Jan 2014, 00:59 CET]:
>>>> This is where theory diverges nicely from practice. In some cases the
>>>> offender broadcast his reply, and guess what else? A lot of routers
>>>> listen to unsolicited ARP replies.
>>> I've never seen this.  Please name vendor and product, if only so other
>>> subscribers to this list can avoid doing business with them.
>> This was some time ago, but the two I was able to dig up from that case were
>> both Junipers. Perhaps it’s something that only happens when proxy ARP is
>> enabled?
>> -c

Vlade Ristevski
Network Manager
IT Services
Ramapo College

More information about the NANOG mailing list