- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: PIX problem: response its MAC to ARP request for one [7:102045] posted 08/17/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Perfect! Thanks a lot!

""Neteng""  wrote in message 
> Yes, I have
> sysopt noproxyarp
> ARP (Address Resolution Protocol) is a layer two protocol that resolves an
> IP address to a physical address, also called a Media Access Controller
> (MAC) address. A host sends an ARP request asking "Who is this IP?" The
> device owning the IP should reply with "Hey, I am the one, here's my MAC
> address."
> Proxy ARP refers to a gateway device, in this case, the firewall,
> "impersonating" an IP address and returning its own MAC address to answer 
> an
> ARP request for another device.
> The firewall builds a table from responses to ARP requests to map physical
> addresses to IP addresses. A periodic ARP function is enabled in the 
> default
> configuration. The presence of entries in the ARP cache indicates that the
> firewall has network connectivity. The show arp command lists the entries 
> in
> the ARP table. Usually, administrators do not need to manually manipulate
> ARP entries on the firewall. This is done only when troubleshooting or
> solving network connectivity problems.
> The arp command is used to add a permanent entry for host on a network. If
> one host is exchanged for another host with the same IP address then the
> "clear arp" command can be used to clear the ARP cache on the PIX.
> Alternatively, you can wait for the duration specified with the arp 
> timeout
> command to expire and the ARP table rebuilds itself automatically with the
> new host information.
> The sysopt noproxyarp command is used to disable Proxy ARPs on an 
> interface
> from the command-line interface. By default, the PIX Firewall responds to
> ARP requests directed at the PIX Firewall's interface IP addresses as well
> as to ARP requests for any static or global address defined on the PIX
> Firewall interface (which are proxy ARP requests).
> The sysopt noproxyarp if_name command lets you disable proxy ARP request
> responses on a PIX Firewall interface. However, this command does not
> disable (non-proxy) ARP requests on the PIX Firewall interface itself.
> Consequently, if you use the sysopt noproxyarp if_name command, the PIX
> Firewall no longer responds to ARP requests for the addresses in the 
> static,
> global, and nat 0 commands for that interface but does respond to ARP
> requests for its interface IP addresses.
> To disable Proxy ARPs on the inside interface:
> sysopt noproxyarp inside
> To enable Proxy ARPs on the inside interface:
> no sysopt noproxyarp inside
> ""Dixon""  wrote in message
> news:200508171433.j7HEXYpN012470@xxxxxxxxxxxxxxxxx
>> A network have a 2003 server ServerA and a PIX515. The connection from my
> PC
>> to ServerA appears intermittently unreacheable. I captured the network
>> traffic and found the PIX respone its MAC to the ServerA IP address ARP
>> request. In the case of ServerA reponse its IP, it will work fine. But
> when
>> PIX reponse its MAC, in my ARP cache, the ServerA IP address map to PIX
>> address.
>> I don't know why PIX response to the ARP request even it doesn't have the
> IP
>> address.
>> Anybody met this before?
>> Thanks
>> Dixon

Message Posted at:
FAQ, list archives, and subscription info: