https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145727#M608448 <HTML><HEAD></HEAD><BODY><P>I am sorry, the alias option I was refering to was the arp command....</P><P></P><P>ARP INSIDE n.n.n.n hhhh.hhhh.hhhh ALIAS</P><P></P><P>We were using this form because the firewall was not advertising the mac address of inside to the outside interface. This worked fine until a default changed in a pix release. Then we started seeing inside hosts with bogus arp tables and communications would come to a halt. The servers would starting seeing the pix's mac address for the correct entries. We also tried the sysopt noproxyarp if_name suggestion, but it did not work. We have been running our configs with:</P><P></P><P>ARP INSIDE n.n.n.n hhhh.hhhh.hhhh </P><P></P><P>with no problems for about a year.</P></BODY></HTML> Tue, 11 Mar 2003 18:50:57 GMT jspyker 2003-03-11T18:50:57Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145720#M608441 <P>I have a PIX 515 that is doing static NAT translations (using static and alias entries). I have one remote access server running Citrix. We have had some issues connecting to that server internally. I have found that when I ping it, 9 out of ten tries is times out after the first attempt. When I do an "arp /a" from my workstation it comes back with the MAC address of the internal interface of my PIX. If I try doing the ping and clear my arp cache manually, after ten or more tries is will successfully ping the right device - and then go right back to the PIX MAC address. This setup is a pretty typical configuration for us. What could be wrong?</P> Fri, 21 Feb 2020 06:36:43 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145720#M608441 bevans 2020-02-21T06:36:43Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145721#M608442 <HTML><HEAD></HEAD><BODY><P>Sounds like the PIX is answering the ARP requests for the Citrix servers' MAC address. Turn off proxy ARP on the PIX on the inside interface with:</P><P></P><P>&gt; sysopt noproxyarp inside</P></BODY></HTML> Mon, 10 Mar 2003 23:30:04 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145721#M608442 gfullage 2003-03-10T23:30:04Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145722#M608443 <HTML><HEAD></HEAD><BODY><P>If the Citrix is on the local subnet with the Pix's interface, then it should not be replying for this obviously. Check inconsistent subnet masks which may cause hosts to think they some devices are on "different" subnets.</P><P></P><P>BTW...It is common for the first attempt of a ping to fail due to an ARP request to learn the MAC if it wasn't in your host's cache. I would not consider this a symptom of your problem.</P></BODY></HTML> Tue, 11 Mar 2003 01:07:39 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145722#M608443 shannong 2003-03-11T01:07:39Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145723#M608444 <HTML><HEAD></HEAD><BODY><P>Thank you both for your post. I reviewed the command "ip proxy-arp." Since it is a per interface command, I would issue "no ip proxy-arp" on the internal interface of my PIX? I just wanted to verify that this is correct. Also, might this have any negative side affects? Thanks!</P></BODY></HTML> Tue, 11 Mar 2003 13:39:31 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145723#M608444 bevans 2003-03-11T13:39:31Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145724#M608445 <HTML><HEAD></HEAD><BODY><P>Any chance you have used the arp command with the alias option? We ran into this same issue a year ago along with a hit on bug CSCdw57969 which was first fixed in versions 6.2(0.237) and 6.2(0.239). The arp issue has not come back since the removal of the alias option and upgrading to 6.2(2). Hope this helps.</P></BODY></HTML> Tue, 11 Mar 2003 15:43:32 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145724#M608445 jspyker 2003-03-11T15:43:32Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145725#M608446 <HTML><HEAD></HEAD><BODY><P>Thank you for your post. We are using static entries for one-to-one nat. Dont we need to use the alias command with that? Thanks.</P></BODY></HTML> Tue, 11 Mar 2003 15:53:52 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145725#M608446 bevans 2003-03-11T15:53:52Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145726#M608447 <HTML><HEAD></HEAD><BODY><P>It seems that you have the routers "ip proxy-arp" command confused with the Pix. As posted above, the pix would use the command "sysopt noproxyarp inside". You could turn off proxy-arp, but this shouldn't be happening actually. </P><P></P><P>What version are you running?</P><P></P><P>And you have no alias commands.....</P><P></P><P>Can you post the static command you're using for the Citrix server? </P><P></P></BODY></HTML> Tue, 11 Mar 2003 16:58:52 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145726#M608447 shannong 2003-03-11T16:58:52Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145727#M608448 <HTML><HEAD></HEAD><BODY><P>I am sorry, the alias option I was refering to was the arp command....</P><P></P><P>ARP INSIDE n.n.n.n hhhh.hhhh.hhhh ALIAS</P><P></P><P>We were using this form because the firewall was not advertising the mac address of inside to the outside interface. This worked fine until a default changed in a pix release. Then we started seeing inside hosts with bogus arp tables and communications would come to a halt. The servers would starting seeing the pix's mac address for the correct entries. We also tried the sysopt noproxyarp if_name suggestion, but it did not work. We have been running our configs with:</P><P></P><P>ARP INSIDE n.n.n.n hhhh.hhhh.hhhh </P><P></P><P>with no problems for about a year.</P></BODY></HTML> Tue, 11 Mar 2003 18:50:57 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145727#M608448 jspyker 2003-03-11T18:50:57Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145728#M608449 <HTML><HEAD></HEAD><BODY><P>Shannong,</P><P></P><P>Our PIX is running 6.1(2). An example static entry:</P><P>static (inside,outside) 100.20.50.9 10.10.1.22 netmask 255.255.255.255 0 0</P><P></P><P>For that I also have an alias entry:</P><P>alias (inside) 10.10.1.22 100.20.50.9 255.255.255.255</P><P></P><P>Is the alias entry necessary? Thanks again!</P></BODY></HTML> Tue, 11 Mar 2003 20:08:57 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145728#M608449 bevans 2003-03-11T20:08:57Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145729#M608450 <HTML><HEAD></HEAD><BODY><P>I don't know if the alias entry is necessary, but it is probably the source of your problem. Why are you using the alias entry? Is the DNS for the public IP of the citrix server externally hosts and you want to "doctor" it? Are you doing destination NAT?</P></BODY></HTML> Wed, 12 Mar 2003 00:56:42 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145729#M608450 shannong 2003-03-12T00:56:42Z https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145730#M608451 <HTML><HEAD></HEAD><BODY><P>Thank you everyone for your posts. The problem has been resolved using by adding the config entry "sysopt noproxyarp inside." Thank you again for your time.</P></BODY></HTML> Wed, 12 Mar 2003 13:19:28 GMT https://community.cisco.com/t5/network-security/arp-issue-and-pix-firewall/m-p/145730#M608451 bevans 2003-03-12T13:19:28Z