[c-nsp] Strange Pix Firewall issue. Proxy Arp

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Wed Sep 30 23:00:07 EDT 2009


Hi Brad,

The below static would not cause the behavior you describe.
Are you sure you don't have another "static (outside,inside)..."
statement which covers the network range of the inside network?

As a temporary workaround you can most likely disable proxy-arps on the
inside interface via 'sysopt noproxyarp inside'.

Sincerely,

David.


Brad Case wrote:
> Hi there,
>
> I am having a very strange isse on a Pix firewall:
>
> The following is configured:
>
> nameif vlan2512 INSIDE security22
> nameif vlan2100 OUTSIDE security20
>
> ip address INSIDE 192.168.35.129 255.255.255.128 standby 192.168.35.130
> ip address OUTSIDE 192.168.35.1 255.255.255.128 standby 192.168.35.2
>
> # Identity NAT statement:
>
> static (INSIDE,OUTSIDE) 192.168.35.128 192.168.35.128 netmask
> 255.255.255.128
>
> With the above configuration I am getting a strange thing happening with
> proxy arp. If a server on the INSIDE interface does a ARP request for an IP
> in the same subnet range as the INSIDE interface for an IP address other
> than 192.168.35.129 or 192.168.35.130, the firewall is replying to it.  Can
> anybody explain the reason why this behaviour would be occuring with the
> above?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



More information about the cisco-nsp mailing list