[c-nsp] Strange Pix Firewall issue. Proxy Arp

harbor235 harbor235 at gmail.com
Thu Oct 1 15:39:37 EDT 2009


Or, the devices on the inside network have an incorrect mask


mike

On Wed, Sep 30, 2009 at 11:00 PM, David White, Jr. (dwhitejr) <
dwhitejr at cisco.com> wrote:

> Hi Brad,
>
> The below static would not cause the behavior you describe.
> Are you sure you don't have another "static (outside,inside)..."
> statement which covers the network range of the inside network?
>
> As a temporary workaround you can most likely disable proxy-arps on the
> inside interface via 'sysopt noproxyarp inside'.
>
> Sincerely,
>
> David.
>
>
> Brad Case wrote:
> > Hi there,
> >
> > I am having a very strange isse on a Pix firewall:
> >
> > The following is configured:
> >
> > nameif vlan2512 INSIDE security22
> > nameif vlan2100 OUTSIDE security20
> >
> > ip address INSIDE 192.168.35.129 255.255.255.128 standby 192.168.35.130
> > ip address OUTSIDE 192.168.35.1 255.255.255.128 standby 192.168.35.2
> >
> > # Identity NAT statement:
> >
> > static (INSIDE,OUTSIDE) 192.168.35.128 192.168.35.128 netmask
> > 255.255.255.128
> >
> > With the above configuration I am getting a strange thing happening with
> > proxy arp. If a server on the INSIDE interface does a ARP request for an
> IP
> > in the same subnet range as the INSIDE interface for an IP address other
> > than 192.168.35.129 or 192.168.35.130, the firewall is replying to it.
>  Can
> > anybody explain the reason why this behaviour would be occuring with the
> > above?
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list