Unanswered Question

Yes, I believe routing is not an issue in terms of my configuration.

I have a load balancer device in front of PIX to load balance some services on the servers protected by PIX. I have static NATs for the real IP addresses of the servers. Yet, I need to configure VIP addresses to be handled by PIX. However, according to the load balancer documentation, nobody should reply the arp request for VIP, except itself. So, they were suggesting to set loopback addresses on the server for VIPs. However, when I put PIX in between them, things get complicated. And I need to handle the issue properly with PIX.

vitripat Wed, 06/06/2007 - 17:55

You may use following command-

sysopt noproxyarp

Note: Using above command affets all the translations on , as PIX will stop proxy-arping for all those addresses. PIX will only ARP for IP address on its interface only, once above command is implemented.

Hope this helps.



Thanks for the suggestion, but my understanding from your explanation above is that it would stop arp replies for all static NATs defined for that interface. This is not what I want. What I want is to have proxy arp for some NATs (for the real IPs), while no proxy arp for other NATs (for the virtual IPs). To be more specific, real IPs are the ones assigned to the physical interfaces of a server. Virtual IPs are the ones assigned to loopback interfaces of a server. In a normal operation, servers only reply to arp request for the real IPs, but no arp replies for virtual IPs. Therefore, when I put a PIX device in front of such a configured server, I would like to have the same type of behaviour after NATs.

Anyways, may be I am forcing too much, and is not a realistic implementation. But if you have any other idea, please send them.


vitripat Thu, 06/07/2007 - 09:58

Unfortunately, we cant selectively disable proxy-arp for some IPs.




This Discussion