Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
0
Helpful
4
Replies

FSWM problem Large ARP table

diego.israel
Level 1
Level 1

‎04-30-2012 12:29 PM - edited ‎03-11-2019 03:59 PM

Hi.

I'm expreiencing a problem in the FWSM on the company. The virtual context stops doing NATs suddenly and the servers behind it get no access to anything.

The firewall has several static policy nats with port forwarding configured on the Inside interface, and we have figured out that the ARP table becomes really large and it's crating an entry for each host in the outside, that's a lot of hosts.

Example NAT:

access-list Lilian-Inside_nat_static_4 extended permit tcp host 192.168.5.118 eq www any

static (Lilian-Inside,Lilian-Outside) tcp LISIM-WAN 8080 access-list Lilian-Inside_nat_static_4

ARP TABLE:

Lilian-Outside 173.193.106.10 0024.c4c0.b980

Lilian-Outside 66.77.186.30 0024.c4c0.b980

Lilian-Outside 201.245.171.190 0024.c4c0.b980

Lilian-Outside 190.66.208.211 0024.c4c0.b980

Lilian-Outside 105.136.70.251 0024.c4c0.b980

... and the list continues up to 450 hosts in this moment.

Don't know the reason why the FW creates the Arp entries this way.

Please help and thank you in advanc

Labels:
0 Helpful
4 Replies 4

diego.israel
Level 1
Level 1

‎04-30-2012 12:31 PM

Sorry, I mistyped the title, it should be FWSM

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to diego.israel

‎05-01-2012 09:08 AM

Hi,

Well seems each ARP entry has the same MAC address. Also the MAC address belongs a Cisco device.

Does the MAC addres belong to some interface on the FWSM?

I guess the amount of ARP entries is due to some NAT configuration.

Do you only have one public IP address at your disposal? Are all public NAT configurations using the same IP address?

Is there some specific reason that you havent done the above NAT configuration for example in the following way

static (Lilian-Inside,Lilian-Outside) tcp LISIM-WAN 8080 192.168.5.118 80 netmask 255.255.255.255

- Jouni

0 Helpful

diego.israel
Level 1
Level 1
In response to Jouni Forss

‎05-02-2012 07:20 AM

Hi,

The mac 0024.c4c0.b980 belongs to a 7600 cisco router, the topology is like this:

Servers---FW---7609----INTERNET

                |

          Connection to office

There are 2 IPs availables, and both of them are used with port forwarding.

The nats are created that way by the ASDM.

We have realized that this context uses most of the CPU of the entire FWSM, so we limited the number of xlates alowed in order to avoid affecting performance on other contexts, but the problems with our customer continues.

Regards

0 Helpful

danielalbertog
Level 1
Level 1

‎05-02-2012 03:03 PM

Hi Diego

It seems a routing problem regadless to the default gateway.

please look oput the default gateway of your FWSM context

Daniel Gómez

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card