[c-nsp] ASA replying to ARP packets for other hosts...

Jonathan Charles jonvoip at gmail.com
Tue Sep 5 15:29:10 EDT 2006


The switch on the DMZ is layer-2 only.

I will check the proxy-arp

On 9/5/06, Joseph Jackson <JJackson at aninetworks.com> wrote:
>
> Proxy arp is turned on by default on all interfaces of the pix/asa.  You
> can turn it off by doing sysopt noproxyarp (interface).  The only
> interface that it has to be on is the outside interface.  As a side note
> is the dmz switch also a switch for another subnet? (you know using
> vlans?)  I had the same problem when use a vlan'd switch for 3 differnet
> dmz's.
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> > Jonathan Charles
> > Sent: Tuesday, September 05, 2006 10:32 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ASA replying to ARP packets for other hosts...
> >
> > I have an ASA 5510 that is replying to every ARP packet with
> > its own MAC address.
> >
> > I have a DMZ with about 10 hosts on it. They all have a
> > 255.255.255.224mask, and the ASA is replying to all ARP packets.
> >
> > I did a packet capture, and you can see the host replying to
> > the ARP request, then you see the ASA replying to it (with
> > its own MAC address).
> >
> > All the pings are failing.
> >
> > Any ideas?
> >
> >
> >
> > Jonathan
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>


More information about the cisco-nsp mailing list