I have 3 hosts on a DMZ interface on a PIX515. The hosts need to access each other for various applications. When initiating a session from one host to another the PIX blocks the conversion with an error stating no xlate. I have put this down to the PIX proxy arping for the DMZ hosts, why is this, I know I can disable proxy arp with the sysopt command but is this the correct behaviour?
1) Pix will only proxy arp if you have static, nat or alias commands configured. I suggest that you check your config for overlapping addresses.
2) If the host A already has a MAC address of host B It will not send packets to the default gateway, unless the destination address is not on the same subnet so I suggest that you also check for subnet masks on DMZ hosts.
I do have a static entry for the hosts on the DMZ for access from the internet. I thought this would cause the PIX to proxy arp on the outside interface not the DMZ. (The outside access works fine, as does inside to DMZ, the only issue being DMZ host to DMZ host.)
In fact you will just need two seperate static statements (or more, if more adresses are used). The first one will do the translation from outside to DMZ and also provide the needed proxy-ARP for this translation. It could look something like this:
The other one will provide the translation from the DMZ if packets travel to the inside (you also need this static translation even if no translation is in fact taken place). The command used could look something like this:
then you would have the problem occuring which you descibe, namely, that the dmz interface will try to proxy-ARP, even for the servers placed on the dmz segment, because they're simply belonging to the range 10.0.0.0/8, whizh is static translated (and thus proxy ARP-ed)
I had the same problem onces and this was the issue.
To be complete in this solution, although this option is not recommented, you can always use the following command to prevent proxy-ARP on the dmz interface:
this command will stop all proxy-ARP on the dmz interface only, so, you have to take care with using this. Hope this helps.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...