cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
453
Views
0
Helpful
4
Replies

ARP request on PIX-515E

santipongv
Level 1
Level 1

I tried to implement AAA on a swtich, which is sitting behind a firewall. Below is the config added to the firewall allowing communication between CiscoSecure ACS server and the switch.

name 192.168.202.4 ciscosecure-elynx-out

name 192.168.202.5 alex-2950

object-group network network-devices

network-object host alex-2950

object-group service to-ciscosecure-tcp tcp

port-object eq tacacs

access-list in-from-elynx permit tcp host alex-2950 gt 1023 host ciscosecure-elynx-out object-group to-ciscosecure-tcp

static (inside,elynx) alex-2950 alex-2950 netmask 255.255.255.255 0 128

static (inside,elynx) ciscosecure-elynx-out cisco-secure netmask 255.255.255.255 0 128

With the above firewall configuration statemnets, I keep getting arp requests but no reply.

PYTHON#

05:29:31.422844 arp who-has ciscosecure-ely tell alex-2950

05:29:33.422982 arp who-has ciscosecure-ely tell alex-2950

05:29:36.435997 arp who-has ciscosecure-ely tell alex-2950

05:29:38.438774 arp who-has ciscosecure-ely tell alex-2950

05:29:44.512363 arp who-has ciscosecure-ely tell alex-2950

05:29:46.510441 arp who-has ciscosecure-ely tell alex-2950

05:29:48.990351 arp who-has ciscosecure-ely tell alex-2950

05:29:51.513096 arp who-has ciscosecure-ely tell alex-2950

05:29:53.510212 arp who-has ciscosecure-ely tell alex-2950

As a result, I am unable to login to the switch with TACACS credentials but local credentials.

I would like to know what I am missing here. Your advice would be greatly appreciated. Thank you in advance.

Best regards,

Santi

4 Replies 4

subaa
Level 1
Level 1

Hi,

It's not a pix config issue. It seems the switch port connecting to the pix is not in the admin vlan. Since it's a 2950 switch its Layer 3 capability is limited to the admin vlan only. So it will not answer to arp requests on any access ports in different vlan. If you want to implement in this way and there should be only one vlan for all internal host, you should put all host to the same vlan, which is the admin vlan. But I don't recomment that...

Instead create separete management vlan on the switch(es), and route the user and management vlans on the inside. This router or layer 3 switch has at least two interfaces: one for the internal host's ip rage, and one for the management vlan ip address range. And put a route on the PIX for the switch management ip address range pointing to this L3 interface IP address.

A_a

Hi Attila,

Below is the config on the switch.

interface FastEthernet0/9

description Python elynx interface 192.168.202.1

switchport access vlan 5

switchport mode access

no ip address

duplex full

speed 100

no cdp enable

spanning-tree portfast

interface Vlan1

description

ip address 192.168.202.9 255.255.255.248

no ip redirects

no ip unreachables

no ip route-cache

shutdown

!

interface Vlan5

description alex-2950

ip address 192.168.202.5 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

ip default-gateway 192.168.202.1

no ip http server

ip tacacs source-interface Vlan5

Switch port connecting to the PIX is in the admin vlan. The default admin vlan1 changed to admin down automatically when I created vlan5 as a management vlan.

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active

2 VLAN0002 active Fa0/1, Fa0/2, Fa0/5, Fa0/11

3 VLAN0003 active Fa0/3, Fa0/4

4 VLAN0004 active Fa0/6, Fa0/7

5 XXXXX active Fa0/9, Fa0/10, Fa0/12

12 XXXXX active Fa0/22, Fa0/23, Fa0/24

13 XXXXX active Fa0/8, Fa0/13, Fa0/14, Fa0/15

Fa0/16, Fa0/17, Fa0/18, Fa0/19

Fa0/20, Fa0/21

VTP Operation Mode: Server

Please kindly advise. Thank you.

Regards,

Santi

Hi,

try:

interface Vlan5

ip proxy-arp

Attila Suba

Hi Attila:

It doesn't work still.

interface Vlan5

description alex-2950

ip address 192.168.202.5 255.255.255.248

no ip redirects

no ip unreachables

no ip route-cache

alex-2950#login

User Access Verification

Password:

Best regards,

Santi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: