cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1880
Views
6
Helpful
8
Replies

proxy-arp for routing

suthomas1
Level 6
Level 6

Hi,

The set up is attached in a rough topology as here.

There are servers 192.168.100.0/24 behind the cisco 2960 . There is a hub which connects all other components in the network.

i.e the hub has connections from the 2960 , a 2611 router, a netscreen firewall.

The internet has a destination ip 202.67.54.23 which the users need to access for some application.

Cisco 2960 & Cisco 2611 are running ospf. Any traffic bound for above internet ip is routed towards the 2611 router 192.168.100.15.

The 2611 router has a static route towards this public ip pointing the next hop as Netscreen firewall 192.168.100.5.

The netscreen , 2611 and 2960 are all connected to the hub.

Now, the plan was to remove the netscreen firewall and insert a second tier juniper firewall below Cisco firewall. ( that is the highlighed  circled portion )

This new Juniper firewall will be acting as the link to route the traffic towards the internet bound ip 202.67.54.23 for the servers on 192.168.100.0/24.

To achieve this, the route on the 2611 router for this public destination was changed to point towards the new firewall 192.168.100.55 and existing route towards 192.168.100.5(netscreen) was removed.

After this, when we test the connections from any server, the next hop still points to 192.168.100.5 Netscreen firewall. We removed this route from the router and inserrted the new route , but it still shows to the old one in tracert from servers.

I suspect some proxy-arp issues in one of these components. Experts, please help to find if this is the issue and how to find the same.

Thanks in advance!

8 Replies 8

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

From the drawing, it seems that all devices are in the same subnet, is that correct? If yes, is the 2611 in bridge mode?

yes, all of these devices have a common subnet 192.168.100.x/24 apart from few other subnets.

2611 runs ospf and doesnt look to be in bridging mode.

Thanks.

It seems that your firewall and router and hosts(servers) are on the same IP subnet. What is the purpose of using 2611 if it has to forward all the traffic to the firewall (which also exists on the same IP subnet). Your servers can send traffic directly to firewall. Try "no ip redirect" and disable Proxy-arp on router and Netscren devices.

thanks!

We are not certain on what the 2611 is actually used for since all are on same subnet. this was what was handed over to me, so for now i need to figure this out with some help.

few queries here:-

1. how would the servers directly send traffic to the firewall, is it from arp?

2. no ip redirect & proxy-arp command , is it global or interface level command on the router ?

3. any idea on where in netscreen i can disable both of these.

Thanks!

You have two firewalls Juniper and Cisco on your way to internet (you may know the reason for this setup). Juniper's IP address 192.168.100.55 could be the default gateway for the servers as this is the firewall taking servers to internet also (as per diagrm). If 2611 is connected to other subnets then you may check its config for the other subnets and either use static routes on servers for those subnets or connect 2611 to juniper and use juniper to route traffic to 2611 for those subnets. You may disable proxy-arp and ICMP redirect under interfaces. I don't use Netscreen. Pl Check 2611 config carefully if it is being used for any other purpose other than sending traffic to FW. You may put 2611 before Juniper also if situation permits.

You may look into the following topologies.

ServersàJuniper FWàCisco FWàInternet

                       |

                Cisco 2611

OR

Servers-->2611-->Juniper FW-->Cisco FW-->Internet

The 2611 ip address 192.168.100.11 is the gateway for all servers. The 2611 then routes the internet ip bound traffic to the netscreen 192.168.100.5.

In this case, why is the route not going the correct way.

Can you forward the config of 2611 and o/p of sh ip route also?

Please forward the tracert from Server also.

Thanks!

Hi,

I have removed the other portions from the configuration for privacy reason. let me know if any other data is needed.

Interface ethernet0

ip address 192.168.100.11

bridge-group 1

!

interface Dialer4

no ip address

no cdp enable

!

router eigrp 11

redistribute static metric 10000 100 255 1 1500

network 10.0.0.0

no auto-summary

!

ip classless

ip route 202.67.54.23 255.255.255.255 192.168.100.5

ip route 203.107.220.132 255.255.255.255 192.168.100.5

ip route 203.120.17.0 255.255.255.0 192.168.100.5

ip route 203.120.23.0 255.255.255.0 192.168.100.5

ip route 203.143.139.132 255.255.255.255 192.168.100.5

ip route 209.95.224.133 255.255.255.255 192.168.100.5

ip route 209.95.228.33 255.255.255.255 192.168.100.5

ip route 210.55.211.70 255.255.255.255 192.168.100.5

ip route 210.177.52.51 255.255.255.255 192.168.100.5

ip route 218.111.46.70 255.255.255.255 192.168.100.5

!

dialer-list 1 protocol ip permit

bridge 1 protocol dec

!

============================================

  218.111.46.0/32 is subnetted, 1 subnets

S       218.111.46.70 [1/0] via 192.168.100.5

S       203.49.166.228 [1/0] via 192.168.100.5

     210.55.211.0/32 is subnetted, 1 subnets

S       210.55.211.70 [1/0] via 192.168.100.5

S    203.120.23.0/24 [1/0] via 192.168.100.5

  202.76.4.0/32 is subnetted, 1 subnets

S       202.67.54.23 [1/0] via 192.168.100.5

Review Cisco Networking for a $25 gift card