Re: PIX problem: response its MAC to ARP request for one [7:102045] posted 08/17/2005
- Subject: Re: PIX problem: response its MAC to ARP request for one [7:102045]
- From: "Dixon" <dixonhu@xxxxxxxxxxx>
- Date: Wed, 17 Aug 2005 12:34:53 -0400
Perfect! Thanks a lot!
""Neteng"" wrote in message
> Yes, I have
> sysopt noproxyarp
> ARP (Address Resolution Protocol) is a layer two protocol that resolves an
> IP address to a physical address, also called a Media Access Controller
> (MAC) address. A host sends an ARP request asking "Who is this IP?" The
> device owning the IP should reply with "Hey, I am the one, here's my MAC
> Proxy ARP refers to a gateway device, in this case, the firewall,
> "impersonating" an IP address and returning its own MAC address to answer
> ARP request for another device.
> The firewall builds a table from responses to ARP requests to map physical
> addresses to IP addresses. A periodic ARP function is enabled in the
> configuration. The presence of entries in the ARP cache indicates that the
> firewall has network connectivity. The show arp command lists the entries
> the ARP table. Usually, administrators do not need to manually manipulate
> ARP entries on the firewall. This is done only when troubleshooting or
> solving network connectivity problems.
> The arp command is used to add a permanent entry for host on a network. If
> one host is exchanged for another host with the same IP address then the
> "clear arp" command can be used to clear the ARP cache on the PIX.
> Alternatively, you can wait for the duration specified with the arp
> command to expire and the ARP table rebuilds itself automatically with the
> new host information.
> The sysopt noproxyarp command is used to disable Proxy ARPs on an
> from the command-line interface. By default, the PIX Firewall responds to
> ARP requests directed at the PIX Firewall's interface IP addresses as well
> as to ARP requests for any static or global address defined on the PIX
> Firewall interface (which are proxy ARP requests).
> The sysopt noproxyarp if_name command lets you disable proxy ARP request
> responses on a PIX Firewall interface. However, this command does not
> disable (non-proxy) ARP requests on the PIX Firewall interface itself.
> Consequently, if you use the sysopt noproxyarp if_name command, the PIX
> Firewall no longer responds to ARP requests for the addresses in the
> global, and nat 0 commands for that interface but does respond to ARP
> requests for its interface IP addresses.
> To disable Proxy ARPs on the inside interface:
> sysopt noproxyarp inside
> To enable Proxy ARPs on the inside interface:
> no sysopt noproxyarp inside
> ""Dixon"" wrote in message
>> A network have a 2003 server ServerA and a PIX515. The connection from my
>> to ServerA appears intermittently unreacheable. I captured the network
>> traffic and found the PIX respone its MAC to the ServerA IP address ARP
>> request. In the case of ServerA reponse its IP, it will work fine. But
>> PIX reponse its MAC, in my ARP cache, the ServerA IP address map to PIX
>> I don't know why PIX response to the ARP request even it doesn't have the
>> Anybody met this before?
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html