This is the second time I have run into this issue and would like some other input. When I install a PIX 501 or 506 on a network I have internal connectivity issues directly linked to "mismatched" dynamic ARP statments on the client side. Now i think that the PIX is answering the ARP broadcast before the target machine is and giving it the wrong MAC address. I have worked around this by adding static arp statements on the client side. Am I missing something? What is the work around besides this?Luckily this is a less than 10 node network and doing this is not really labor intesive but on the large network we replaced the PIX with a new one and no problems. Thoughts?? If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Riddle me this
- Thread starter CMASPE
- Start date
HI.
I have not (yet?) encountered this problem.
Post here a sample configuration and network info - it might be a configuration issue.
Anyway, you can try to disable proxy-arp at the pix - look at the pix documentation for details.
I would recommend not to use the manual ARP solution. It seems to me like a very bad idea even for a small network.
For sure someone will fall to that trap in the future.
Bye
Yizhar Hurwitz
I have not (yet?) encountered this problem.
Post here a sample configuration and network info - it might be a configuration issue.
Anyway, you can try to disable proxy-arp at the pix - look at the pix documentation for details.
I would recommend not to use the manual ARP solution. It seems to me like a very bad idea even for a small network.
For sure someone will fall to that trap in the future.
Bye
Yizhar Hurwitz
- Thread starter
- #3
Yizhar..I am not to thrilled about the static arp statements either and just got a call from them that they are still having connectivity issues. Cou,d it be the switch playing a role in this???
PIX 501 config below...seems straight forward?!
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 1 permit tcp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.69 eq domain
access-list 1 permit tcp any host XX.XX.XX.69 eq domain
access-list 1 permit tcp any host XX.XX.XX.67 eq pop3
access-list 1 permit tcp any host XX.XX.XX.67 eq smtp
access-list 1 permit tcp any host XX.XX.XX.67 eq www
access-list 1 permit tcp any host XX.XX.XX.68 eq 1433
access-list 1 permit tcp any host XX.XX.XX.70 eq 3389
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.XX.66 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.80-XX.XX.XX.90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.67 XX.XX.XX.67 255.255.255.255
alias (inside) 192.168.1.69 XX.XX.XX.69 255.255.255.255
alias (inside) 192.168.1.68 XX.XX.XX.68 255.255.255.255
alias (inside) 192.168.1.70 XX.XX.XX.70 255.255.255.255
static (inside,outside) XX.XX.XX.69 192.168.1.69 netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.67 192.168.1.67 netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.68 192.168.1.68 netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.70 192.168.1.70 netmask 255.255.255.255 0 0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 63.74.35.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
no sysopt noproxyarp inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:50cde038086eebcdf3fe83a1b7a071dc
: end If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
PIX 501 config below...seems straight forward?!
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 1 permit tcp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.69 eq domain
access-list 1 permit tcp any host XX.XX.XX.69 eq domain
access-list 1 permit tcp any host XX.XX.XX.67 eq pop3
access-list 1 permit tcp any host XX.XX.XX.67 eq smtp
access-list 1 permit tcp any host XX.XX.XX.67 eq www
access-list 1 permit tcp any host XX.XX.XX.68 eq 1433
access-list 1 permit tcp any host XX.XX.XX.70 eq 3389
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside XX.XX.XX.66 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 XX.XX.XX.80-XX.XX.XX.90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.67 XX.XX.XX.67 255.255.255.255
alias (inside) 192.168.1.69 XX.XX.XX.69 255.255.255.255
alias (inside) 192.168.1.68 XX.XX.XX.68 255.255.255.255
alias (inside) 192.168.1.70 XX.XX.XX.70 255.255.255.255
static (inside,outside) XX.XX.XX.69 192.168.1.69 netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.67 192.168.1.67 netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.68 192.168.1.68 netmask 255.255.255.255 0 0
static (inside,outside) XX.XX.XX.70 192.168.1.70 netmask 255.255.255.255 0 0
access-group 1 in interface outside
route outside 0.0.0.0 0.0.0.0 63.74.35.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
no sysopt noproxyarp inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:50cde038086eebcdf3fe83a1b7a071dc
: end If you like my post let me know if I blow an answer...well it's probably late and I have had too many beers! Cheers!!
HI.
My first guess - something with the "alias" commands - as this command does also NAT on the reverse direction.
Try this:
sysopt noproxyarp inside
Read here the usage guidelines and the note:
Instead of using the Alias, if you have an internal DNS server then you can map DNS names to internal ip addresses and then no need for the alias command.
Some other comments:
access-list 1 permit tcp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.69 eq domain
access-list 1 permit tcp any host XX.XX.XX.69 eq domain
I recommend that you don't allow incoming DNS queries. Let your ISP manage your "outside" DNS zone, and use your W2K DNS server internaly only.
access-list 1 permit tcp any host XX.XX.XX.67 eq www
access-list 1 permit tcp any host XX.XX.XX.68 eq 1433
access-list 1 permit tcp any host XX.XX.XX.70 eq 3389
You know you should secure the server and apply all post SP2 security updates - right?
But applying all current patches will still not be good enough in many cases. If applicable, better allow access to those services only from a secure and authenticated VPN tunnel.
Bye
Yizhar Hurwitz
My first guess - something with the "alias" commands - as this command does also NAT on the reverse direction.
Try this:
sysopt noproxyarp inside
Read here the usage guidelines and the note:
Instead of using the Alias, if you have an internal DNS server then you can map DNS names to internal ip addresses and then no need for the alias command.
Some other comments:
access-list 1 permit tcp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.67 eq domain
access-list 1 permit udp any host XX.XX.XX.69 eq domain
access-list 1 permit tcp any host XX.XX.XX.69 eq domain
I recommend that you don't allow incoming DNS queries. Let your ISP manage your "outside" DNS zone, and use your W2K DNS server internaly only.
access-list 1 permit tcp any host XX.XX.XX.67 eq www
access-list 1 permit tcp any host XX.XX.XX.68 eq 1433
access-list 1 permit tcp any host XX.XX.XX.70 eq 3389
You know you should secure the server and apply all post SP2 security updates - right?
But applying all current patches will still not be good enough in many cases. If applicable, better allow access to those services only from a secure and authenticated VPN tunnel.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question