Not sure if there is a bug in 6.3.3 or my pix????

Posted on 2004-08-21
Last Modified: 2010-05-18
I configured the pix to do pat from inside to outside and it worked great. The next day I configured 8 access-lists to the inside and outside interface. I also put an ip address on the dmz and did a no shut. Pat stopped working and none of the access-listed worked. I did a clear xlate several times. I deleted those access-lists I configured. Still did not work. So, I back out the changes and used the original setup I have, which I knew worked. I did another clear xlate but pat still did not work. I unplugged the cat5 from the dmz on the pix and notice that the 100 MPS light was still on. Still nothing was working. Finally, after two hours I reloaded the pix and when it came back up pat started working? In addition the 100MPS on the DMZ light when off?

Are you suppose to reboot the pix after applying access-list or changing ips on any of the interfaces?
Is the 100MPS light suppose to turn off when you unplug the cable?
Please advice

Thank you
Question by:mcfr6070
  • 4
  • 4
LVL 15

Expert Comment

ID: 11859225
6.3.3 is still in beta release.. the latest stable release is 6.2.3

LVL 79

Expert Comment

ID: 11859862
In version 6.3.1 yes, there was a bug that required reboot to make some changes take affect, but I've never seen this behavior in 6.3.3.
You may have an issue with Proxy arp if there are any other routers around the network. You can disable proxy arp on the inside interface and the dmz interface
sysopt noproxyarp inside
sysopt noproxyarp dma

>and did a no shut
How did you do the no shut? Did you set the interface speed, or leave it on auto?

pix(config)#interface ethernet2 auto

pix(config)#interface ethernet2 100

Author Comment

ID: 11860153
sorry its 6.2.3.
I did #interface ethernet2 auto
I will do sysopt noproxyarp inside and sysopt noproxyarp dma tonight to test it. What will the proxyarp do?
LVL 79

Accepted Solution

lrmoore earned 350 total points
ID: 11860243
>sysopt noproxyarp dma

should be
sysopt noproxyarp DMZ

sysopt noproxyarp

ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."

Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.

The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.

To disable Proxy ARPs on the inside interface:

sysopt noproxyarp inside

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 11861977
Would you suggest i disable it on the DMZ and inside but not the outside ? Great explanation, it really helped. I am boosting the points up.  thanks
LVL 79

Expert Comment

ID: 11863671
I would keep it on the outside if you have a nat pool or of you have static translations.

Author Comment

ID: 11864136
ok i disabled it, how will i know if this is working?
LVL 79

Expert Comment

ID: 11864665
Make your desired changes, one at a time, and see if everything keeps working...

Author Comment

ID: 11899424
I am trying to make my acls work they seem to be applying as soon as i run the xlate. I dont see a problem anymore. thanks Irmoore

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access List 2 18
Cisco ASA IOS 9.x - no route to host for Internet 4 46
Using VLAN Interface in ASA 5 17
VTP / VLANs and Sub-Interfaces 4 21
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now