Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX 6.2(1) and Proxy Arp

From: Luca Berra <bluca () comedia it>
Date: Wed, 14 May 2003 15:56:55 +0200
On Tue, May 13, 2003 at 02:25:14PM -0500, Crissup, John (MBNP is) wrote:
....

Outside: 12.1.1.2/24

....

global (outside) 1 12.1.1.254
nat (inside) 1 172.16.1.0 255.255.255.0 0 0


you probably need proxyarp on outside interface, it depends on what is
outside.


 My problem is, when I disable proxy arp on all four interfaces, I can no
longer access the Internet (outside interface) from my Private (inside
interface) network.  However, I can continue accessing my two DMZ's and the
DMZ's can still access the Internet.  Reenabling proxy arp on the outside
interface fixed the problem.  However, I wouldn't expect this to be
necessary.


i'll try to explain:
proxy arp means (answer to arp request for ip address different than
that which is configured on the physical interface, if i have a static
or global for it, that is)

assume on the outside of the pix you only have router R
with a default route to the internet
an ethernet interface (say 12.1.1.1/24)
and two static routes to DMZ1 and DMZ2 via your firewall

packet comes from the inside, gets to the pix, gets natted and...
R receives a packet from ip 12.1.1.254 directed to the internet...
R consults its routing table: oh yeah the internet is that way! and sends
the packet on...
a while later a packets arrives from the internet directed to 12.1.1.254
...
R consults its routing table: oh yeah 12.1.1.254 is directly connected
to my ethernet interface, let's send an ARP request so i can get the
correct mac-address of the destination....
shit, noone is answering, let's toss that packet.

on the opposite, when a packet comes from the internet due to one of the
dmz...
R consults its routing table: oh yeah DMZ1 lies behind 12.1.1.2 and
12.1.1.2 is directly connected to my ethernet interface, let's send an
ARP request so i can get the correct mac-address of the destination...
oh, it is MA:CA:DD:OF:PI:XF, and sends the packet on...

(try to picture that with the characters from goodwarriors.mpeg)


 I consulted with a systems engineer from Cisco and he was confused also.

sack 'im :))))))  (just kidding)

L.

P.S. in my example you could also put a static for 12.1.1.254 on R via
12.1.1.2 and avoid the proxyarp, but i dunno if it applies to you and
probably is not worth the hassle.

L.
--
Luca Berra -- bluca () comedia it
       Communication Media & Services S.r.l.
/"\
\ /     ASCII RIBBON CAMPAIGN
 X        AGAINST HTML MAIL
/ \
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: