minor releases?
And yeah 8.2 to 8.3 is a dot release hence a minor release.
By default, proxy arp is disabled starting from 8.3.1. I know i know
proxy ARP on the outside interface is a security risk, but most
network admin knows this already and would have disabled them if
needed.
What if you have a cross connect link with your ISP on the outside
interface that makes the security risk moot?
Found this the hard way when enabling a static nat on the outside
interface that nothing works. SYN packets are sent but SYN-ACK are
never received.
Firewall do not block anything, no debugging message in ASDM, packet
tracer shows nothing is wrong...
Wireshark shows that ARP request by the ISP PE are ignored with no
notification from the ASA.... Ughhhh Brilliant.
Enabling proxy arp by no sysopt noproxyarp PRODUCTIONINTERFACE or
entering a static ARP entry will fix this problem...
Brilliant move cisco, brilliant...
No comments:
Post a Comment