02-17-2006 05:48 AM - edited 03-05-2019 11:47 AM
I've added a server (Proliant 3000, WIndows 2000 SP4) in the DMZ, but the PIX doesn't answer his ARP request. The access-list are OK. If i enter statics entries in the ARP tables (PIX and Server), they can communicate normally, but without these lines, nothing works, the PIX doesn't answer. Why? is there any configuration to add to the PIX? THe server is able to ping all the other servers in the DMZ.
Thank you!
02-19-2006 06:51 PM
Hello,
Is the PIX configured as the server's default gateway? Do the IPs and subnetmasks match for the DMZ link? Do you have this same issue for inside devices? Did you try debug arp on the pix?
Hope this helps.
Regards,
James
02-20-2006 11:14 AM
The PIX is the default gateway ans the IP and subnet is the good one.
I have added manual arp entries in both the PIX and the server and it worked... However, I would like to found a "real" solution...
02-20-2006 05:25 PM
Hello,
I recreated this with a simple topology:
pc---switch---pix
There is nothing special required to add on either the host or the PIX for the ARP process to work correctly. Notice in the attachment that PC shows a dynamic entry for 8.8.8.1 - DMZ2 interface for the PIX and after clearing the ARP on the PIX, the PIX correctly populates its ARP cache.
The other servers in the DMZ that your server can ping - are they located on the same switch? Is the PIX attached to the same switch as well? Do you see correct CAM/MAC entries on all the respective ports?
Hope this helps.
Regards,
James
02-22-2006 06:10 AM
Hi!
The others servers are on the same switch, the PIX too. No configurations have been made on the switch, I have not seen anything wrong. Tha MAC address table is ok.
If I connect a PC in the DMZ it work well, but not this server.
The other servers are plugged in two switchs, with two teamed NIC. This server has only one NIC, I don't know if it can change something?
After clearing the arp cache, it populate correctly, but not for this server.
regards
Pierre-Nicolas
02-22-2006 08:04 AM
Hi Pierre,
There's may be a misconfiguration on the pix configuration. (static, nat, subnet mask etc...)
In order to be sure and to eliminate the possibility of a misconfiguration on the server, I'd suggest the following.
1-Remove server from the switch.
2-Clear all arp entries
3-Ask for Richard to put is Fluke-device in the switch w/ the same ip/mask and switch port of the server.
4-See the behaviour of the arp request.
Oh sorry, you have already try this with a PC (was the ip the same as the server?)
I remember, in a previous pix version, seeing a bug on cisco.com reporting unsupported MAC address range for hosts. May be you will use Richard's fluke to do this test.
(cco required)
HTH
Mike
02-22-2006 09:41 AM
Guess what? The MAC of the server is 0008.xxxx.xxxx and the PIX version is 6.1 (2).
I'll look at the workarounds suggested.
Thank you!
Regards
Pierre-Nicolas
02-22-2006 10:37 AM
How lucky you are, you even took care of changing arp-info (for security purpose pensais-je) in a debug output posted here...But eventually you would have found the link by yourself, I'm sure!
:)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: