Firewall Wizards mailing list archives

PIX 6.2(1) and Proxy Arp

From: "Crissup, John (MBNP is)" <John.Crissup () us millwardbrown com>
Date: Tue, 13 May 2003 14:25:14 -0500

  I'm trying to decide if I need to keep proxy arp enabled on my PIX
interfaces.

  My setup is as follows (all addressing has been changed for this example):

  Portable address space on my outside and two DMZ interfaces.  Private
address space on my inside interface.

PIX 520
Version 6.2(1)

Inside: 172.16.1.1/24
Outside: 12.1.1.2/24
DMZ1: 195.1.1.1/24
DMZ2: 195.2.1.1/24

global (outside) 1 12.1.1.254
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
nat (DMZ1) 0 195.1.1.0 255.255.255.0 0 0
nat (DMZ2) 0 195.2.1.0 255.255.255.0 0 0
static (inside,DMZ1) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0 
static (inside,DMZ2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0 0 0 
static (DMZ1,outside) 195.1.1.0 195.1.1.0 netmask 255.255.255.0 0 0 
static (DMZ2,outside) 195.2.1.0 195.2.1.0 netmask 255.255.255.0 0 0 

  My problem is, when I disable proxy arp on all four interfaces, I can no
longer access the Internet (outside interface) from my Private (inside
interface) network.  However, I can continue accessing my two DMZ's and the
DMZ's can still access the Internet.  Reenabling proxy arp on the outside
interface fixed the problem.  However, I wouldn't expect this to be
necessary.

  I consulted with a systems engineer from Cisco and he was confused also.
My suspicion is that proxy arp may be required in order for the PAT
addressing to function properly.  However, I haven't had any luck yet
finding anything about this on Cisco's web site.

  Can anyone explain this further?  At this point, I'm still baffled.

  Thanks for you help!!

--
John


_____________________________________________________
This email is confidential and intended solely for the use of
the individual or organization to whom it is addressed. Any
opinions or advice presented are solely those of the author
and do not necessarily represent those of the Millward Brown
Group of Companies.  DO NOT copy, modify, distribute or
take any action in reliance on this email if you are not the
intended recipient.  If you have received this email in error
please notify the sender and delete this email from your system.
Although this email has been checked for viruses and other
defects, no responsibility can be accepted for any loss or
damage arising from its receipt or use.
______________________________________________________

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

PIX 6.2(1) and Proxy Arp Crissup, John (MBNP is) (May 13)
- Re: PIX 6.2(1) and Proxy Arp Luca Berra (May 15)