The Cisco ASA can exhibit some non-standard ARP behavior depending on the OS version and system configuration. Here are some notes to remember this by.
- arp permit-nonconnected – command introduced in ASA 8.4(5) and defaults to off. ASA releases through 8.2 allowed non-connected ARP (non-standard and not configurable). ASA releases 8.3 through 8.4(4) disabled non-connected ARP (this follows the standard and was not configurable). ASA releases from 8.4(5) and newer follow the standard but allow the rule to be broken with this new command.
NOTE: Do not confuse this with sysopt noproxyarp command which is off by default. The proxy arp on the ASA is important to allow the ASA to answer ARP requests for NAT hosted private servers appearing as a separate public IP on the ASA outside interface. Leave the sysopt command for proxy arp set to the default so that NAT proxy arp will function correctly.