Firewall Wizards mailing list archives
PIX 6.2(1) and Proxy Arp
From: "Crissup, John (MBNP is)" <John.Crissup () us millwardbrown com>
Date: Tue, 13 May 2003 14:25:14 -0500
I'm trying to decide if I need to keep proxy arp enabled on my PIX interfaces. My setup is as follows (all addressing has been changed for this example): Portable address space on my outside and two DMZ interfaces. Private address space on my inside interface. PIX 520 Version 6.2(1) Inside: 172.16.1.1/24 Outside: 12.1.1.2/24 DMZ1: 195.1.1.1/24 DMZ2: 195.2.1.1/24 global (outside) 1 12.1.1.254 nat (inside) 1 172.16.1.0 255.255.255.0 0 0 nat (DMZ1) 0 195.1.1.0 255.255.255.0 0 0 nat (DMZ2) 0 195.2.1.0 255.255.255.0 0 0 static (inside,DMZ1) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0 static (inside,DMZ2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0 static (DMZ1,outside) 195.1.1.0 195.1.1.0 netmask 255.255.255.0 0 0 static (DMZ2,outside) 195.2.1.0 195.2.1.0 netmask 255.255.255.0 0 0 My problem is, when I disable proxy arp on all four interfaces, I can no longer access the Internet (outside interface) from my Private (inside interface) network. However, I can continue accessing my two DMZ's and the DMZ's can still access the Internet. Reenabling proxy arp on the outside interface fixed the problem. However, I wouldn't expect this to be necessary. I consulted with a systems engineer from Cisco and he was confused also. My suspicion is that proxy arp may be required in order for the PAT addressing to function properly. However, I haven't had any luck yet finding anything about this on Cisco's web site. Can anyone explain this further? At this point, I'm still baffled. Thanks for you help!! -- John _____________________________________________________ This email is confidential and intended solely for the use of the individual or organization to whom it is addressed. Any opinions or advice presented are solely those of the author and do not necessarily represent those of the Millward Brown Group of Companies. DO NOT copy, modify, distribute or take any action in reliance on this email if you are not the intended recipient. If you have received this email in error please notify the sender and delete this email from your system. Although this email has been checked for viruses and other defects, no responsibility can be accepted for any loss or damage arising from its receipt or use. ______________________________________________________ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 6.2(1) and Proxy Arp Crissup, John (MBNP is) (May 13)
- Re: PIX 6.2(1) and Proxy Arp Luca Berra (May 15)