Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
5
Replies

Proxy arp

andyirving
Level 1
Level 1

‎04-03-2003 02:00 AM - edited ‎03-09-2019 02:45 AM

I have 3 hosts on a DMZ interface on a PIX515. The hosts need to access each other for various applications. When initiating a session from one host to another the PIX blocks the conversion with an error stating no xlate. I have put this down to the PIX proxy arping for the DMZ hosts, why is this, I know I can disable proxy arp with the sysopt command but is this the correct behaviour?

Labels:
0 Helpful
5 Replies 5

syghafoor
Level 1
Level 1

‎04-03-2003 08:39 AM

1) Pix will only proxy arp if you have static, nat or alias commands configured. I suggest that you check your config for overlapping addresses.

2) If the host A already has a MAC address of host B It will not send packets to the default gateway, unless the destination address is not on the same subnet so I suggest that you also check for subnet masks on DMZ hosts.

I hope this helps.

Thanks,

Syed

0 Helpful

andyirving
Level 1
Level 1
In response to syghafoor

‎04-07-2003 03:31 AM

I do have a static entry for the hosts on the DMZ for access from the internet. I thought this would cause the PIX to proxy arp on the outside interface not the DMZ. (The outside access works fine, as does inside to DMZ, the only issue being DMZ host to DMZ host.)

0 Helpful

jmia
Level 7
Level 7
In response to andyirving

‎04-07-2003 05:02 AM

Hi - I don't know if you have looked at the following Document :

http://www.cisco.com/warp/public/707/28.html

It does mention your issue with DMZ to DMZ access, hope it helps.

Regards,

Jay.

0 Helpful

l.mourits
Level 5
Level 5
In response to andyirving

‎04-29-2003 06:24 AM

Hi there,

In fact you will just need two seperate static statements (or more, if more adresses are used). The first one will do the translation from outside to DMZ and also provide the needed proxy-ARP for this translation. It could look something like this:

static (dmz, outside) 62.229.98.1 10.1.1.1 netmask 255.255.255.255

The other one will provide the translation from the DMZ if packets travel to the inside (you also need this static translation even if no translation is in fact taken place). The command used could look something like this:

static (inside, dmz) 10.10.0.0 10.10.0.0 netmask 255.255.0.0

This sample config would work. The problem which you discribe has probaly to do with overlapping between these two static commands. If you change the second static, for example in the following:

static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

then you would have the problem occuring which you descibe, namely, that the dmz interface will try to proxy-ARP, even for the servers placed on the dmz segment, because they're simply belonging to the range 10.0.0.0/8, whizh is static translated (and thus proxy ARP-ed)

I had the same problem onces and this was the issue.

To be complete in this solution, although this option is not recommented, you can always use the following command to prevent proxy-ARP on the dmz interface:

sysopt noproxyarp

this command will stop all proxy-ARP on the dmz interface only, so, you have to take care with using this. Hope this helps.

0 Helpful

tvanginneken
Level 4
Level 4

‎04-07-2003 06:26 AM

Hi,

is it possible to post the static commands you are using together with the IPaddresses and netmasks of the servers on the DMZ?

Kind Regards,

Tom

0 Helpful
Customers Also Viewed These Support Documents