Re: [fw-wiz] PIX 6.2(1) and Proxy Arp

From: Luca Berra (bluca_at_comedia.it)
Date: 05/14/03

  • Next message: Julian Gomez: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?" 
    To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Wed, 14 May 2003 15:56:55 +0200

    On Tue, May 13, 2003 at 02:25:14PM -0500, Crissup, John (MBNP is) wrote:
    ....
    >Outside: 12.1.1.2/24
    ....
    >global (outside) 1 12.1.1.254
    >nat (inside) 1 172.16.1.0 255.255.255.0 0 0

    you probably need proxyarp on outside interface, it depends on what is
    outside.

    > My problem is, when I disable proxy arp on all four interfaces, I can no
    >longer access the Internet (outside interface) from my Private (inside
    >interface) network. However, I can continue accessing my two DMZ's and the
    >DMZ's can still access the Internet. Reenabling proxy arp on the outside
    >interface fixed the problem. However, I wouldn't expect this to be
    >necessary.

    i'll try to explain:
    proxy arp means (answer to arp request for ip address different than
    that which is configured on the physical interface, if i have a static
    or global for it, that is)

    assume on the outside of the pix you only have router R
    with a default route to the internet
    an ethernet interface (say 12.1.1.1/24)
    and two static routes to DMZ1 and DMZ2 via your firewall

    packet comes from the inside, gets to the pix, gets natted and...
    R receives a packet from ip 12.1.1.254 directed to the internet...
    R consults its routing table: oh yeah the internet is that way! and sends
    the packet on...
    a while later a packets arrives from the internet directed to 12.1.1.254
    ...
    R consults its routing table: oh yeah 12.1.1.254 is directly connected
    to my ethernet interface, let's send an ARP request so i can get the
    correct mac-address of the destination....
    ***, noone is answering, let's toss that packet.

    on the opposite, when a packet comes from the internet due to one of the
    dmz...
    R consults its routing table: oh yeah DMZ1 lies behind 12.1.1.2 and
    12.1.1.2 is directly connected to my ethernet interface, let's send an
    ARP request so i can get the correct mac-address of the destination...
    oh, it is MA:CA:DD:OF:PI:XF, and sends the packet on...

    (try to picture that with the characters from goodwarriors.mpeg)

    > I consulted with a systems engineer from Cisco and he was confused also.
    sack 'im :)))))) (just kidding)

    L.

    P.S. in my example you could also put a static for 12.1.1.254 on R via
    12.1.1.2 and avoid the proxyarp, but i dunno if it applies to you and
    probably is not worth the hassle.

    L. 

    -- 
Luca Berra -- bluca@comedia.it
        Communication Media & Services S.r.l.
 /"\
 \ /     ASCII RIBBON CAMPAIGN
  X        AGAINST HTML MAIL
 / \
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Julian Gomez: "Re: [fw-wiz] Custom Unix server installations -- to harden extensively ?"