3-21
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Information About NAT
Routing NAT Packets
Figure 3-14 Proxy ARP Problems with Identity NAT
In rare cases, you need proxy ARP for identity NAT; for example for virtual Telnet. When using
AAA for network access, a host needs to authenticate with the ASA using a service like Telnet
before any other traffic can pass. You can configure a virtual Telnet server on the ASA to provide
the necessary login. When accessing the virtual Telnet address from the outside, you must configure
an identity NAT rule for the address specifically for the proxy ARP functionality. Due to internal
processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet
address rather than send the traffic out the source interface according to the NAT rule. (See
Figure 3-15).
Figure 3-15 Proxy ARP and Virtual Telnet
Transparent Mode Routing Requirements for Remote Networks
When you use NAT in transparent mode, some types of traffic require static routes. See the general
operations configuration guide for more information.
209.165.200.225
209.165.200.230
209.165.200.231
Identity NAT for
“any” with Proxy ARP
Outside
Inside
1
2
4
ARP for 209.165.200.230.
Traffic incorrectly sent to ASA.
Proxy ARP for 209.165.200.230.
3
ARP Response
Too late
209.165.201.11
Virtual Telnet:
209.165.200.230
Identity NAT for
209.165.200.230
between inside and outside
with Proxy ARP
Outside
Inside
Server
1
2
3
Telnet to 209.165.200.230.
Communicate with server.
Authenticate.