Cisco Support Community

PIX blocks and aliases the MAC address of workstations behind it, ARP table lists the PIX's MAC as owner of the address. PIX answers ARP requests for devices behind it.


Proxy ARP refers to a gateway device, in this case, the PIX Firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

By default, the PIX responds to Address Resolution Protocol (ARP) requests directed at the PIX interface IP addresses as well as to ARP requests for any static or global address defined on the PIX interface (which are proxy ARP requests).

The PIX builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the PIX has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the PIX. This is done only when troubleshooting or solving network connectivity problems.

The sysopt if_name command allows you to disable proxy ARP request responses on a PIX interface. However, this command does not disable non-proxy ARP requests on the PIX interface itself. Consequently, if you issue the sysopt noproxyarp if_name command, the PIX no longer responds to ARP requests for the addresses in the static, global and nat 0 commands for that interface, but it does respond to ARP requests for its interface IP addresses. noproxyarp