Not sure if there is a bug in 6.3.3 or my pix????

Posted on 2004-08-21
Last Modified: 2010-05-18
I configured the pix to do pat from inside to outside and it worked great. The next day I configured 8 access-lists to the inside and outside interface. I also put an ip address on the dmz and did a no shut. Pat stopped working and none of the access-listed worked. I did a clear xlate several times. I deleted those access-lists I configured. Still did not work. So, I back out the changes and used the original setup I have, which I knew worked. I did another clear xlate but pat still did not work. I unplugged the cat5 from the dmz on the pix and notice that the 100 MPS light was still on. Still nothing was working. Finally, after two hours I reloaded the pix and when it came back up pat started working? In addition the 100MPS on the DMZ light when off?

Are you suppose to reboot the pix after applying access-list or changing ips on any of the interfaces?
Is the 100MPS light suppose to turn off when you unplug the cable?
Please advice

Thank you
Question by:mcfr6070
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 15

Expert Comment

ID: 11859225
6.3.3 is still in beta release.. the latest stable release is 6.2.3

LVL 79

Expert Comment

ID: 11859862
In version 6.3.1 yes, there was a bug that required reboot to make some changes take affect, but I've never seen this behavior in 6.3.3.
You may have an issue with Proxy arp if there are any other routers around the network. You can disable proxy arp on the inside interface and the dmz interface
sysopt noproxyarp inside
sysopt noproxyarp dma

>and did a no shut
How did you do the no shut? Did you set the interface speed, or leave it on auto?

pix(config)#interface ethernet2 auto

pix(config)#interface ethernet2 100

Author Comment

ID: 11860153
sorry its 6.2.3.
I did #interface ethernet2 auto
I will do sysopt noproxyarp inside and sysopt noproxyarp dma tonight to test it. What will the proxyarp do?
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

LVL 79

Accepted Solution

lrmoore earned 350 total points
ID: 11860243
>sysopt noproxyarp dma

should be
sysopt noproxyarp DMZ

sysopt noproxyarp

ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."

Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.

The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.

To disable Proxy ARPs on the inside interface:

sysopt noproxyarp inside


Author Comment

ID: 11861977
Would you suggest i disable it on the DMZ and inside but not the outside ? Great explanation, it really helped. I am boosting the points up.  thanks
LVL 79

Expert Comment

ID: 11863671
I would keep it on the outside if you have a nat pool or of you have static translations.

Author Comment

ID: 11864136
ok i disabled it, how will i know if this is working?
LVL 79

Expert Comment

ID: 11864665
Make your desired changes, one at a time, and see if everything keeps working...

Author Comment

ID: 11899424
I am trying to make my acls work they seem to be applying as soon as i run the xlate. I dont see a problem anymore. thanks Irmoore

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today -

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question