Hi. We have some switches linked together to form a DMZ with a variety of hosts and two PIX firewalls connected. If we try to ping a host from the switch it is attached to, the ping fails. When the arp cache is viewed, the entry for the server IP address references the mac address of a PIX interface on another switch and not the server itself. The mac address table contains the correct mac address port entry. Any idea why the PIX appears to be responding to the arp request? Our Security Team cannot explain it. Thanks.
If the PIX does proxy-ARP this is due to a static statement on the PIX. Probably you have a static statement which is overlapping with the IP subnet numbering on your lower and higher level interfaces. The command no sysopt proxyarp (if-name) will in fact disable the Proxy-ARP, although this should not be the proper action. Proper configuration of your PIX will prevent the PIX for doing proxy-ARP for adresses for which it should not.
If you send me your PIX config and what you want to achieve, I believe I can help you out (clear passwords and stuf from the config first :-))
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...