[c-nsp] ASA replying to ARP packets for other hosts...

Jonathan Charles jonvoip at gmail.com
Wed Sep 6 12:55:39 EDT 2006


That was it... proxy arp was trying to kill me...

So, why is it enabled by default?



Jonathan

On 9/5/06, Jonathan Charles <jonvoip at gmail.com> wrote:
>
> The switch on the DMZ is layer-2 only.
>
> I will check the proxy-arp
>
>
> On 9/5/06, Joseph Jackson <JJackson at aninetworks.com > wrote:
> >
> > Proxy arp is turned on by default on all interfaces of the pix/asa.  You
> >
> > can turn it off by doing sysopt noproxyarp (interface).  The only
> > interface that it has to be on is the outside interface.  As a side note
> > is the dmz switch also a switch for another subnet? (you know using
> > vlans?)  I had the same problem when use a vlan'd switch for 3 differnet
> >
> > dmz's.
> >
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net
> > > [mailto: cisco-nsp-bounces at puck.nether.net] On Behalf Of
> > > Jonathan Charles
> > > Sent: Tuesday, September 05, 2006 10:32 AM
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] ASA replying to ARP packets for other hosts...
> > >
> > > I have an ASA 5510 that is replying to every ARP packet with
> > > its own MAC address.
> > >
> > > I have a DMZ with about 10 hosts on it. They all have a
> > > 255.255.255.224mask, and the ASA is replying to all ARP packets.
> > >
> > > I did a packet capture, and you can see the host replying to
> > > the ARP request, then you see the ASA replying to it (with
> > > its own MAC address).
> > >
> > > All the pings are failing.
> > >
> > > Any ideas?
> > >
> > >
> > >
> > > Jonathan
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
>
>


More information about the cisco-nsp mailing list