Firewall Wizards mailing list archives
Re: PIX 6.2(1) and Proxy Arp
From: Luca Berra <bluca () comedia it>
Date: Wed, 14 May 2003 15:56:55 +0200
On Tue, May 13, 2003 at 02:25:14PM -0500, Crissup, John (MBNP is) wrote: ....
Outside: 12.1.1.2/24
....
global (outside) 1 12.1.1.254 nat (inside) 1 172.16.1.0 255.255.255.0 0 0
you probably need proxyarp on outside interface, it depends on what is outside.
My problem is, when I disable proxy arp on all four interfaces, I can no longer access the Internet (outside interface) from my Private (inside interface) network. However, I can continue accessing my two DMZ's and the DMZ's can still access the Internet. Reenabling proxy arp on the outside interface fixed the problem. However, I wouldn't expect this to be necessary.
i'll try to explain: proxy arp means (answer to arp request for ip address different than that which is configured on the physical interface, if i have a static or global for it, that is) assume on the outside of the pix you only have router R with a default route to the internet an ethernet interface (say 12.1.1.1/24) and two static routes to DMZ1 and DMZ2 via your firewall packet comes from the inside, gets to the pix, gets natted and... R receives a packet from ip 12.1.1.254 directed to the internet... R consults its routing table: oh yeah the internet is that way! and sends the packet on... a while later a packets arrives from the internet directed to 12.1.1.254 ... R consults its routing table: oh yeah 12.1.1.254 is directly connected to my ethernet interface, let's send an ARP request so i can get the correct mac-address of the destination.... shit, noone is answering, let's toss that packet. on the opposite, when a packet comes from the internet due to one of the dmz... R consults its routing table: oh yeah DMZ1 lies behind 12.1.1.2 and 12.1.1.2 is directly connected to my ethernet interface, let's send an ARP request so i can get the correct mac-address of the destination... oh, it is MA:CA:DD:OF:PI:XF, and sends the packet on... (try to picture that with the characters from goodwarriors.mpeg)
I consulted with a systems engineer from Cisco and he was confused also.
sack 'im :)))))) (just kidding) L. P.S. in my example you could also put a static for 12.1.1.254 on R via 12.1.1.2 and avoid the proxyarp, but i dunno if it applies to you and probably is not worth the hassle. L. -- Luca Berra -- bluca () comedia it Communication Media & Services S.r.l. /"\ \ / ASCII RIBBON CAMPAIGN X AGAINST HTML MAIL / \ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 6.2(1) and Proxy Arp Crissup, John (MBNP is) (May 13)
- Re: PIX 6.2(1) and Proxy Arp Luca Berra (May 15)