PIX 515E - DMZ adapter is replying to arp request, when it should not.
PIX(dmz) - HUB - 2 servers(A + B).
Delay while accessing servers in dmz.
when I ping machine A from B, there is always a timeout on the first icmp request. Plus, when I connect my laptop to the hub, and try a arping on any ip address, I always get an ARP reply from the dmz mac address. True for ANY unused IP. It looks like the pix is replying to any arp request when it should not...
here's an output of packet capture (ethereal) on the hub (you see a ping request from A to B).
No. Time Source Destination Protocol Info
1 0.000000 CompaqCo_45:69:40 Broadcast ARP Who has 192.168.100.102? Tell 192.168.100.101
2 0.000045 Intel_97:10:e5 CompaqCo_45:69:40 ARP 192.168.100.102 is at 00:02:b3:97:10:e5
However, it might be better to find the crux of the problem. Can you post a sanitized config for review? If you change the IP addresses, please make them consistent as this is what I am going to be looking at.
Re: PIX 515E - DMZ adapter is replying to arp request, when it s
Thanks for your quick reply.
What I understand is that by default, proxyarp is enabled by default on my dmz interface?
If so, why it is replying to arp request on non-existant ip address everywhere on my network (not just dmz, but inside + outside)?
I read, in your url, this:
"Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses"
does it mean that currently, my pix thinks that there is "another" 192.168.100.102 host in my network (inside, outside) ?
if so, here are my sanitized static, global and nat config:
global (outside) 1 (External1) netmask 255.255.255.248
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :