Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

lost connectivity in dmz (pix) and arp answer

Good afternoon. I have the pix 515e with 6 interfaces.

pix-firewall# sh ver

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

The computers placed in the dmz, sometimes lose connection with each other. Has found out a following problem: at arp the request sent by a computer, it receives the answer and from the necessary computer, and from pix.

ip address on the pix interface (dmz) - 172.21.35.1

Test connectivity at computer with ip address 172.21.35.5 with clear arp table:

ping 172.21.35.4

Pinging 172.21.35.4 with 32 bytes of data:

Reply from 172.21.35.4: bytes=32 time<1ms TTL=128

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 172.21.35.4:

Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

After ping:

>arp -a

Interface: 172.21.35.5 --- 0x10003

Internet Address Physical Address Type

172.21.35.1 00-0d-88-ef-23-29 dynamic

172.21.35.2 00-0d-60-ec-85-32 dynamic

172.21.35.4 00-0d-88-ef-23-29 dynamic

very strange: mac address .1 and .4 identical

Ethereal,running on the same computer:

No. Time Source Destination Protocol Info

1 0.000000 172.21.35.4 Broadcast ARP Who has 172.21.35.1? Tell 172.21.35.4

Frame 1 (106 bytes on wire, 106 bytes captured)

Ethernet II, Src: 172.21.35.4 (00:11:25:57:f9:2c), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

No. Time Source Destination Protocol Info

2 1.381832 172.21.35.2 172.21.35.5 ARP Who has 172.21.35.5? Tell 172.21.35.2

Frame 2 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: 172.21.35.2 (00:0d:60:ec:85:32), Dst: 172.21.35.5 (00:11:25:a8:75:7e)

Address Resolution Protocol (request)

No. Time Source Destination Protocol Info

3 1.381842 172.21.35.5 172.21.35.2 ARP 172.21.35.5 is at 00:11:25:a8:75:7e

Frame 3 (42 bytes on wire, 42 bytes captured)

Ethernet II, Src: 172.21.35.5 (00:11:25:a8:75:7e), Dst: 172.21.35.2 (00:0d:60:ec:85:32)

Address Resolution Protocol (reply)

No. Time Source Destination Protocol Info

4 2.754731 172.21.35.5 Broadcast ARP Who has 172.21.35.4? Tell 172.21.35.5

Frame 4 (42 bytes on wire, 42 bytes captured)

Ethernet II, Src: 172.21.35.5 (00:11:25:a8:75:7e), Dst: Broadcast (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

No. Time Source Destination Protocol Info

5 2.754839 172.21.35.4 172.21.35.5 ARP 172.21.35.4 is at 00:11:25:57:f9:2c

Frame 5 (106 bytes on wire, 106 bytes captured)

Ethernet II, Src: 172.21.35.4 (00:11:25:57:f9:2c), Dst: 172.21.35.5 (00:11:25:a8:75:7e)

Address Resolution Protocol (reply)

No. Time Source Destination Protocol Info

6 2.754968 172.21.35.1 172.21.35.5 ARP 172.21.35.4 is at 00:0d:88:ef:23:29

Frame 6 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: 172.21.35.1 (00:0d:88:ef:23:29), Dst: 172.21.35.5 (00:11:25:a8:75:7e)

Address Resolution Protocol (reply)

on the pix

#debug arp

782: arp-in: request at dmz from 172.21.35.4 0011.2557.f92c for 172.21.35.1 0000.0000.0000

783: arp-set: added arp dmz 172.21.35.4 0011.2557.f92c

784: arp-in: generating reply from 172.21.35.1 000d.88ef.2329 to 172.21.35.4 0011.2557.f92c

793: arp-in: request at dmz from 172.21.35.5 0011.25a8.757e for 172.21.35.4 0000.0000.0000

794: arp-set: added arp dmz 172.21.35.5 0011.25a8.757e

795: arp-in: generating reply from 172.21.35.4 000d.88ef.2329 to 172.21.35.5 0011.25a8.757e

Why pix sends the answer on arp request?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: lost connectivity in dmz (pix) and arp answer

Hi,

Maybe this is due to proxy ARP on the pix. You can try disabling it on that interface with the command "sysopt noproxyarp".

1 REPLY
Silver

Re: lost connectivity in dmz (pix) and arp answer

Hi,

Maybe this is due to proxy ARP on the pix. You can try disabling it on that interface with the command "sysopt noproxyarp".

130
Views
0
Helpful
1
Replies
CreatePlease to create content