05-03-2012 06:22 AM - edited 03-11-2019 04:01 PM
We are migrating DMZ segments from a checkpoint to a ASA 5585 firewall that we had connected to the same segments as the Checkpoint except on different IP addresses then the checkpoint interfaces. The Checkpoint interfaces are the default gateway for the servers. When I implemented the NATs entries below we experienced an arp table clash with the checkpoint and ASA firewall on the local segments that caused a application outage. What was determined was that the checkpoint firewall was showing that all the IP addresses in particular on vlan130 segment was associating the MAC address of the ASA interface instead of the real sever MAC address. I need assistance understanding the reason why the Checkpoint was pointing the ARP entries for many different address on VLAN130 to the ASA firewall MAC?
nat (any,internet-outside) source static any any destination static isxh2007_Xlate_167.9.6.21 isxh2007_10.121.201.86 unidirectional description To match chkpt NAT rule #5
nat (VLAN130,internet-outside) source static ISX_EDI_Hosts isxh2008_Xlat_167.9.6.22 unidirectional
nat (any,internet-outside) source static Private-Addresses ISX_OUTBOUND_NAT_167.9.6.1 destination static external_167.9.x external_167.9.x unidirectional
nat (any,any) source static Mars-Internal-All Mars-Internal-All destination static Private-Addresses Private-Addresses
nat (internet-dmz,internet-outside) source static acs-vmww2419.mars-ad.net acs-vmww2419_xlate_167.9.6.23
nat (internet-dmz,internet-outside) source static acs_vmww2420 acs_vmww2420_xlate_167.9.6.24
nat (internet-dmz,internet-outside) source static pass_reset_internal_10.121.201.50 pass_reset_external_167.9.6.25
nat (internet-dmz,internet-outside) source static HE-Portal-poland_10.121.120.10 ext_HE-Portal-poland_167.9.6.26
nat (any,internet-outside) source dynamic any ISX_OUTBOUND_NAT_167.9.6.1
isxasa04/wwy-legacy# sho interface
Interface TenGigabitEthernet0/8.129 "core-inside", is down, line protocol is down
MAC address 442b.0330.aba2, MTU 1500
IP address 10.121.129.X, subnet mask 255.255.255.0
Traffic Statistics for "core-inside":
241633 packets input, 12094352 bytes
44788 packets output, 3032584 bytes
109732 packets dropped
Interface TenGigabitEthernet0/9.130 "VLAN130", is down, line protocol is down
MAC address 442b.0330.aba3, MTU 1500
IP address 10.121.130.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN130":
1264203 packets input, 136452168 bytes
326080 packets output, 69216516 bytes
794035 packets dropped
Interface TenGigabitEthernet0/9.136 "VLAN136", is down, line protocol is down
MAC address 442b.0330.aba3, MTU 1500
IP address 10.121.136.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN136":
374547 packets input, 23696109 bytes
51186 packets output, 3324895 bytes
173500 packets dropped
Interface GigabitEthernet0/1 "internet-outside", is down, line protocol is down
MAC address 442b.0330.ab9b, MTU 1500
IP address 167.9.6.X, subnet mask 255.255.255.0
Traffic Statistics for "internet-outside":
352158 packets input, 17245425 bytes
76888 packets output, 3872904 bytes
12255 packets dropped
Interface GigabitEthernet0/2 "internet-dmz", is down, line protocol is down
MAC address 442b.0330.ab9c, MTU 1500
IP address 10.121.201.X, subnet mask 255.255.255.0
Traffic Statistics for "internet-dmz":
237795 packets input, 12460108 bytes
40787 packets output, 2775684 bytes
27378 packets dropped
Interface GigabitEthernet0/4 "VLAN140", is down, line protocol is down
MAC address 442b.0330.ab9e, MTU 1500
IP address 10.121.140.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN140":
386931 packets input, 18807725 bytes
48936 packets output, 3319712 bytes
114417 packets dropped
Checkpoint ARP table:
10.121.130.101 44:2b:3:30:ab:a3 3285
ASA ARP table:
isxasa04/wwy-legacy# sh arp | i 10.121.130.101
VLAN130 10.121.130.101 001a.4b06.dd45 10525
Server real address provided by processing:
0x001A4B06DD45
isxasa04# sh int | i MAC
MAC address 442b.0330.ab9a, MTU not set
MAC address 442b.0330.ab9b, MTU not set
MAC address 442b.0330.ab9c, MTU not set
MAC address 442b.0330.ab9d, MTU 1500
MAC address 442b.0330.ab9e, MTU not set
MAC address 442b.0330.ab9f, MTU not set
MAC address 442b.0330.aba0, MTU not set
MAC address 442b.0330.aba1, MTU not set
MAC address 442b.0330.ab98, MTU not set
MAC address 442b.0330.ab99, MTU not set
MAC address 442b.0330.aba2, MTU not set
MAC address 442b.0330.aba3, MTU not set
05-03-2012 09:16 PM
The Asa is proxy Arping those macs. Turn off proxy arp and put in static arp entries until you completely shut down the checkpoint.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide