Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
4
Replies

Arp response from wrong PIX

tholmes
Level 1
Level 1

‎12-19-2005 03:38 AM - edited ‎02-21-2020 12:36 AM

Hello,

I have 2 PIX firewalls on the same LAN, 1 is used for Internet access only.

The other is used to terminate several VPN tunnels.

I've an FTP server on the DMZ LAN, and have static routes on the server to point to the remote LANs across the VPN tunnels, I’ve also a default route via the Internet PIX

However, when the FTP server sends an ARP request to the VPN PIX DMZ IP address to discover its MAC address, the Internet PIX responds instead with, I assume a proxy arp.

I've added a static arp to the FTP server to get around this...my question is..

If the ARP request from the FTP server contained the VPN PIX's IP address and the Internet PIX responds as well, is this normal?

Any help appreciated

Regards Tony

0 Helpful
4 Replies 4

mklaphek
Level 1
Level 1

‎12-19-2005 10:35 AM

I don't fully understand your topology; however, ARP's are only for a local LAN segment. So, if the VPN PIX is not connected to the same DMZ segment that the FTP server is on, the FTP server will ARP for its default gateway.

Proxy ARP is usually only a factor if there are inconsistent subnet masks applied. Fo example, if the DMZ network was 172.16.1.0/24 and the LAN was 172.16.2.0/24 and the FTP server were configured with a subnet mask of 255.255.0.0, then it would try to ARP for 172.16.2.X, since it believes that this is local. A device supporting proxy ARP would answer for it instead of having the connection fail.

Since the FTP server is on the DMZ, there must be some sort of static mapping to get back into the inside. The PIX will also answer these ARPs.

Hope this helps.

Mike

0 Helpful

tholmes
Level 1
Level 1
In response to mklaphek

‎12-20-2005 02:34 AM

Hello Mike,

I appreciate your response and I'll certainly look at the masks on those deivces.

The PIXs are effectively in parallel, with the inside, dmz and outside interfaces all connected to their respective LANs.

Cheers Tony

0 Helpful

glen.messenger
Level 1
Level 1
In response to tholmes

‎12-20-2005 04:34 PM

Hello,

Check the forum entry before yours, titled "lost connectivity in dmz (pix) and arp answer". This covers the solution to your problem.

PIX's have proxyarp enabled by default. This can be disabled by using 'sysopt noproxyarp interface_name'.

Glen.

0 Helpful

tholmes
Level 1
Level 1
In response to glen.messenger

‎12-21-2005 03:57 AM

Hi Glen,

Thanks for the response but I'm told by the 3rd party administoring this PIX that it needs to have proxy arp enabled as it acts as a gateway to the Internet.

I'm not 100% sure this is correct though

Cheers Tony

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card