Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Proxy arp

I have 3 hosts on a DMZ interface on a PIX515. The hosts need to access each other for various applications. When initiating a session from one host to another the PIX blocks the conversion with an error stating no xlate. I have put this down to the PIX proxy arping for the DMZ hosts, why is this, I know I can disable proxy arp with the sysopt command but is this the correct behaviour?

5 REPLIES
Community Member

Re: Proxy arp

1) Pix will only proxy arp if you have static, nat or alias commands configured. I suggest that you check your config for overlapping addresses.

2) If the host A already has a MAC address of host B It will not send packets to the default gateway, unless the destination address is not on the same subnet so I suggest that you also check for subnet masks on DMZ hosts.

I hope this helps.

Thanks,

Syed

Community Member

Re: Proxy arp

I do have a static entry for the hosts on the DMZ for access from the internet. I thought this would cause the PIX to proxy arp on the outside interface not the DMZ. (The outside access works fine, as does inside to DMZ, the only issue being DMZ host to DMZ host.)

Gold

Re: Proxy arp

Hi - I don't know if you have looked at the following Document :

http://www.cisco.com/warp/public/707/28.html

It does mention your issue with DMZ to DMZ access, hope it helps.

Regards,

Jay.

Silver

Re: Proxy arp

Hi there,

In fact you will just need two seperate static statements (or more, if more adresses are used). The first one will do the translation from outside to DMZ and also provide the needed proxy-ARP for this translation. It could look something like this:

static (dmz, outside) 62.229.98.1 10.1.1.1 netmask 255.255.255.255

The other one will provide the translation from the DMZ if packets travel to the inside (you also need this static translation even if no translation is in fact taken place). The command used could look something like this:

static (inside, dmz) 10.10.0.0 10.10.0.0 netmask 255.255.0.0

This sample config would work. The problem which you discribe has probaly to do with overlapping between these two static commands. If you change the second static, for example in the following:

static (inside, dmz) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

then you would have the problem occuring which you descibe, namely, that the dmz interface will try to proxy-ARP, even for the servers placed on the dmz segment, because they're simply belonging to the range 10.0.0.0/8, whizh is static translated (and thus proxy ARP-ed)

I had the same problem onces and this was the issue.

To be complete in this solution, although this option is not recommented, you can always use the following command to prevent proxy-ARP on the dmz interface:

sysopt noproxyarp

this command will stop all proxy-ARP on the dmz interface only, so, you have to take care with using this. Hope this helps.

Re: Proxy arp

Hi,

is it possible to post the static commands you are using together with the IPaddresses and netmasks of the servers on the DMZ?

Kind Regards,

Tom

197
Views
0
Helpful
5
Replies
CreatePlease to create content