[c-nsp] ASA replying to ARP packets for other hosts...

Joseph Jackson JJackson at aninetworks.com
Wed Sep 6 13:17:35 EDT 2006


Its enabled by default because thats how static translations work.  When
you do a static the pix has to answer for the host since it isn't a
layer 3 hop. 


________________________________

	From: Jonathan Charles [mailto:jonvoip at gmail.com] 
	Sent: Wednesday, September 06, 2006 9:56 AM
	To: Joseph Jackson
	Cc: cisco-nsp at puck.nether.net
	Subject: Re: [c-nsp] ASA replying to ARP packets for other
hosts...
	
	
	That was it... proxy arp was trying to kill me...
	
	So, why is it enabled by default? 
	
	
	
	Jonathan
	
	
	On 9/5/06, Jonathan Charles < jonvoip at gmail.com
<mailto:jonvoip at gmail.com> > wrote: 

		The switch on the DMZ is layer-2 only.
		
		I will check the proxy-arp 
		
		
		
		On 9/5/06, Joseph Jackson < JJackson at aninetworks.com
<mailto:JJackson at aninetworks.com> > wrote: 

			Proxy arp is turned on by default on all
interfaces of the pix/asa.  You 
			can turn it off by doing sysopt noproxyarp
(interface).  The only
			interface that it has to be on is the outside
interface.  As a side note
			is the dmz switch also a switch for another
subnet? (you know using
			vlans?)  I had the same problem when use a
vlan'd switch for 3 differnet 
			dmz's.
			
			
			> -----Original Message-----
			> From: cisco-nsp-bounces at puck.nether.net 
			> [mailto: cisco-nsp-bounces at puck.nether.net
<mailto:cisco-nsp-bounces at puck.nether.net> ] On Behalf Of
			> Jonathan Charles
			> Sent: Tuesday, September 05, 2006 10:32 AM
			> To: cisco-nsp at puck.nether.net
			> Subject: [c-nsp] ASA replying to ARP packets
for other hosts... 
			>
			> I have an ASA 5510 that is replying to every
ARP packet with
			> its own MAC address.
			>
			> I have a DMZ with about 10 hosts on it. They
all have a
			> 255.255.255.224mask, and the ASA is replying
to all ARP packets. 
			>
			> I did a packet capture, and you can see the
host replying to
			> the ARP request, then you see the ASA replying
to it (with
			> its own MAC address).
			>
			> All the pings are failing.
			>
			> Any ideas?
			>
			>
			>
			> Jonathan
			>
_______________________________________________
			> cisco-nsp mailing list
cisco-nsp at puck.nether.net <mailto:cisco-nsp at puck.nether.net> 
			>
https://puck.nether.net/mailman/listinfo/cisco-nsp
			> archive at
http://puck.nether.net/pipermail/cisco-nsp/ 
			>
			





More information about the cisco-nsp mailing list