Cisco ASA causes Windows to get APIPA address

I encountered this issue recently when installed a new ASAv into my topology. Unexpectedly, some Windows machines and VMs started getting 169.x.x.x APIPA address although they had a static IP configured.

This was caused by the NAT on my ASA interfering with proxy-arp and causing IP conflicts. By default, Cisco firewalls will proxy ARP for NAT entries.

  • (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.
  • (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired.

The solution was to add “no-proxy-arp” to the end of the NAT syntax:

Leave a Reply

Your email address will not be published.