12-20-2005 12:31 AM - edited 02-21-2020 12:36 AM
Good afternoon. I have the pix 515e with 6 interfaces.
pix-firewall# sh ver
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
Compiled on Wed 13-Aug-03 13:55 by morlee
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
The computers placed in the dmz, sometimes lose connection with each other. Has found out a following problem: at arp the request sent by a computer, it receives the answer and from the necessary computer, and from pix.
ip address on the pix interface (dmz) - 172.21.35.1
Test connectivity at computer with ip address 172.21.35.5 with clear arp table:
ping 172.21.35.4
Pinging 172.21.35.4 with 32 bytes of data:
Reply from 172.21.35.4: bytes=32 time<1ms TTL=128
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.21.35.4:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
After ping:
>arp -a
Interface: 172.21.35.5 --- 0x10003
Internet Address Physical Address Type
172.21.35.1 00-0d-88-ef-23-29 dynamic
172.21.35.2 00-0d-60-ec-85-32 dynamic
172.21.35.4 00-0d-88-ef-23-29 dynamic
very strange: mac address .1 and .4 identical
Ethereal,running on the same computer:
No. Time Source Destination Protocol Info
1 0.000000 172.21.35.4 Broadcast ARP Who has 172.21.35.1? Tell 172.21.35.4
Frame 1 (106 bytes on wire, 106 bytes captured)
Ethernet II, Src: 172.21.35.4 (00:11:25:57:f9:2c), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
No. Time Source Destination Protocol Info
2 1.381832 172.21.35.2 172.21.35.5 ARP Who has 172.21.35.5? Tell 172.21.35.2
Frame 2 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 172.21.35.2 (00:0d:60:ec:85:32), Dst: 172.21.35.5 (00:11:25:a8:75:7e)
Address Resolution Protocol (request)
No. Time Source Destination Protocol Info
3 1.381842 172.21.35.5 172.21.35.2 ARP 172.21.35.5 is at 00:11:25:a8:75:7e
Frame 3 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: 172.21.35.5 (00:11:25:a8:75:7e), Dst: 172.21.35.2 (00:0d:60:ec:85:32)
Address Resolution Protocol (reply)
No. Time Source Destination Protocol Info
4 2.754731 172.21.35.5 Broadcast ARP Who has 172.21.35.4? Tell 172.21.35.5
Frame 4 (42 bytes on wire, 42 bytes captured)
Ethernet II, Src: 172.21.35.5 (00:11:25:a8:75:7e), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
No. Time Source Destination Protocol Info
5 2.754839 172.21.35.4 172.21.35.5 ARP 172.21.35.4 is at 00:11:25:57:f9:2c
Frame 5 (106 bytes on wire, 106 bytes captured)
Ethernet II, Src: 172.21.35.4 (00:11:25:57:f9:2c), Dst: 172.21.35.5 (00:11:25:a8:75:7e)
Address Resolution Protocol (reply)
No. Time Source Destination Protocol Info
6 2.754968 172.21.35.1 172.21.35.5 ARP 172.21.35.4 is at 00:0d:88:ef:23:29
Frame 6 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 172.21.35.1 (00:0d:88:ef:23:29), Dst: 172.21.35.5 (00:11:25:a8:75:7e)
Address Resolution Protocol (reply)
on the pix
#debug arp
782: arp-in: request at dmz from 172.21.35.4 0011.2557.f92c for 172.21.35.1 0000.0000.0000
783: arp-set: added arp dmz 172.21.35.4 0011.2557.f92c
784: arp-in: generating reply from 172.21.35.1 000d.88ef.2329 to 172.21.35.4 0011.2557.f92c
793: arp-in: request at dmz from 172.21.35.5 0011.25a8.757e for 172.21.35.4 0000.0000.0000
794: arp-set: added arp dmz 172.21.35.5 0011.25a8.757e
795: arp-in: generating reply from 172.21.35.4 000d.88ef.2329 to 172.21.35.5 0011.25a8.757e
Why pix sends the answer on arp request?
Solved! Go to Solution.
12-20-2005 01:08 AM
Hi,
Maybe this is due to proxy ARP on the pix. You can try disabling it on that interface with the command "sysopt noproxyarp".
12-20-2005 01:08 AM
Hi,
Maybe this is due to proxy ARP on the pix. You can try disabling it on that interface with the command "sysopt noproxyarp".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide