Solved: arp table corruption; Alias command

sean.forbes · ‎09-22-2004

We are using a PIX 501 and we have seen some very strange behaviour that I can not explain and have never seen mentioned anywhere. We have many instances of the following on our firewall:

access-list 100 permit tcp any host 216.x.x.x eq www

static (inside,outside) 216.x.x.x 10.10.10.10 netmask 255.255.255.255 0 0

alias (inside) 10.10.10.10 216.x.x.x 255.255.255.255

216.x.x.x is a registered domain name. Everything about this works fine with one exception. Whenever a server on the inside of the firewall does a DNS lookup on the name it is given the correctly aliased internal IP address. However, as soon as this happens the entry in the arp table on the requesting server (Win 2K Server) for the named server becomes set to the MAC address of the firewall instead of the correct MAC address of the server. This means that this server can not participate in the network any longer. To solve this we are forced to execute a static arp mapping for any server with an alias on all servers in our network.

Anyone have any idea why this happens?

jzsides · ‎09-22-2004

You probably need to disable proxy arp on the interface?

sysopt noproxyarp inside

View solution in original post

jzsides · ‎09-22-2004

You probably need to disable proxy arp on the interface?

sysopt noproxyarp inside

sean.forbes · ‎09-22-2004

I tried this and it worked perfectly. I appreciate the help. Until I understood what it was doing I was pulling my hair out!

Thanks very much for the help.