Re: Turn off proxy arp replies for same subnet

tlessard1 · ‎08-20-2008

On a PIX-515 running 6(3)4 code, is there a way to prevent proxy arp responses for hosts on the same subnet? For example, one host wants to get to a website on another host on the same subnet. The first host sends a "who has" request and should get a response from the second host saying "me". What is happening intermittently is that the PIX is replying with its MAC address first. Is there a delay that can be inserted in the PIX's response, or turn it off completely for arp requests between hosts on the same subnet? I can't think of a reason why the PIX would respond.

Thanks in advance.

Syed Iftekhar Ahmed · ‎08-20-2008

sysopt noproxyarp

can disable proxy-ARPs on a PIX Firewall interface.

If you disable proxy-arp, then all this does is cause the PIX to ONLY

respond to ARP requests for it's interface address. Any ARP requests

for a global IP in a static statement will be dropped.

If you disabled proxy-arp, then the upstream router (or device

attempting to contact the global IP in the static statement) must either:

a) have a route to the global IP pointing to the PIX interface as the

next hop

b) (if the global IP is on the same segment) then the device can use

static ARP entries

Syed