PIX 515E - DMZ adapter is replying to arp request, when it should not.

sdanielparc · ‎10-31-2003

Hello.

Topology:

---------

PIX(dmz) - HUB - 2 servers(A + B).

Problem:

--------

Delay while accessing servers in dmz.

Explanations:

-------------

when I ping machine A from B, there is always a timeout on the first icmp request. Plus, when I connect my laptop to the hub, and try a arping on any ip address, I always get an ARP reply from the dmz mac address. True for ANY unused IP. It looks like the pix is replying to any arp request when it should not...

here's an output of packet capture (ethereal) on the hub (you see a ping request from A to B).

No. Time Source Destination Protocol Info

1 0.000000 CompaqCo_45:69:40 Broadcast ARP Who has 192.168.100.102? Tell 192.168.100.101

2 0.000045 Intel_97:10:e5 CompaqCo_45:69:40 ARP 192.168.100.102 is at 00:02:b3:97:10:e5

3 0.000101 192.168.100.101 192.168.100.102 ICMP Echo (ping) request

4 0.000269 CompaqCo_1a:e7:04 CompaqCo_45:69:40 ARP 192.168.100.102 is at 00:80:5f:1a:e7:04

5 1.262365 192.168.100.101 192.168.100.102 ICMP Echo (ping) request

6 1.262675 192.168.100.102 192.168.100.101 ICMP Echo (ping) reply

7 1.919191 216.114.250.250 192.168.100.101 ICMP Echo (ping) request

8 1.919277 192.168.100.101 216.114.250.250 ICMP Echo (ping) reply

9 2.261836 192.168.100.101 192.168.100.102 ICMP Echo (ping) request

10 2.262084 192.168.100.102 192.168.100.101 ICMP Echo (ping) reply

11 3.261828 192.168.100.101 192.168.100.102 ICMP Echo (ping) request

12 3.262074 192.168.100.102 192.168.100.101 ICMP Echo (ping) reply

see? the pix (00:02:b3:97:10:e5) shouldn't reply the ARP request! it totally confuses the A server...

Any ideas?

Thanks!

scoclayton · ‎10-31-2003

Hi,

You can disable proxyarp on the PIX using the 'sysopt noproxyarp ' command - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#1026942

However, it might be better to find the crux of the problem. Can you post a sanitized config for review? If you change the IP addresses, please make them consistent as this is what I am going to be looking at.

Scott

sdanielparc · ‎10-31-2003

Thanks for your quick reply.

What I understand is that by default, proxyarp is enabled by default on my dmz interface?

If so, why it is replying to arp request on non-existant ip address everywhere on my network (not just dmz, but inside + outside)?

I read, in your url, this:

"Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses"

does it mean that currently, my pix thinks that there is "another" 192.168.100.102 host in my network (inside, outside) ?

if so, here are my sanitized static, global and nat config:

global (outside) 1 (External1) netmask 255.255.255.248

global (dmz) 1 192.168.100.2-192.168.100.98

global (dmz) 1 192.168.100.99

nat (inside) 0 access-list 80

nat (inside) 1 192.168.200.0 255.255.255.0 0 0

nat (dmz) 1 192.168.100.0 255.255.255.0 0 0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0

static (dmz,outside) (External2) (name1) netmask 255.255.255.255 0 0

static (inside,outside) (External3) (name2) netmask 255.255.255.255 0 0

static (inside,outside) (External4) (Name3) netmask 255.255.255.255 0 0

static (dmz,outside) (External5) (name4) netmask 255.255.255.255 0 0

Thanks!