Re: ARP table problem

RHLloydBGF · ‎05-08-2003

Hi. We have some switches linked together to form a DMZ with a variety of hosts and two PIX firewalls connected. If we try to ping a host from the switch it is attached to, the ping fails. When the arp cache is viewed, the entry for the server IP address references the mac address of a PIX interface on another switch and not the server itself. The mac address table contains the correct mac address port entry. Any idea why the PIX appears to be responding to the arp request? Our Security Team cannot explain it. Thanks.

mark-obrien · ‎05-08-2003

1. Verify that the switch's IP address and subnet mask are consistent with the address/mask combination on the server(s).

2. Verify that the ports that the servers are connected to are in the same VLAN as the VLAN in the switch that has the IP address assigned to it.

HTH.

Mark

t.baranski · ‎05-08-2003

These sound like symptoms of 'ip local proxy-arp', but I don't know if PIX's even support this feature.

jaanonsen · ‎05-09-2003

try this :

no sysopt noproxyarp

on your pix.

l.mourits · ‎05-13-2003

If the PIX does proxy-ARP this is due to a static statement on the PIX. Probably you have a static statement which is overlapping with the IP subnet numbering on your lower and higher level interfaces. The command no sysopt proxyarp (if-name) will in fact disable the Proxy-ARP, although this should not be the proper action. Proper configuration of your PIX will prevent the PIX for doing proxy-ARP for adresses for which it should not.

If you send me your PIX config and what you want to achieve, I believe I can help you out (clear passwords and stuf from the config first :-))

Regards,

Leo