Solved

Not sure if there is a bug in 6.3.3 or my pix????

Posted on 2004-08-21
9
1,289 Views
Last Modified: 2010-05-18
I configured the pix to do pat from inside to outside and it worked great. The next day I configured 8 access-lists to the inside and outside interface. I also put an ip address on the dmz and did a no shut. Pat stopped working and none of the access-listed worked. I did a clear xlate several times. I deleted those access-lists I configured. Still did not work. So, I back out the changes and used the original setup I have, which I knew worked. I did another clear xlate but pat still did not work. I unplugged the cat5 from the dmz on the pix and notice that the 100 MPS light was still on. Still nothing was working. Finally, after two hours I reloaded the pix and when it came back up pat started working? In addition the 100MPS on the DMZ light when off?

Are you suppose to reboot the pix after applying access-list or changing ips on any of the interfaces?
Is the 100MPS light suppose to turn off when you unplug the cable?
Please advice

Thank you
0
Comment
Question by:mcfr6070
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11859225
6.3.3 is still in beta release.. the latest stable release is 6.2.3



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11859862
In version 6.3.1 yes, there was a bug that required reboot to make some changes take affect, but I've never seen this behavior in 6.3.3.
You may have an issue with Proxy arp if there are any other routers around the network. You can disable proxy arp on the inside interface and the dmz interface
sysopt noproxyarp inside
sysopt noproxyarp dma

>and did a no shut
How did you do the no shut? Did you set the interface speed, or leave it on auto?

pix(config)#interface ethernet2 auto
or

pix(config)#interface ethernet2 100
0
 

Author Comment

by:mcfr6070
ID: 11860153
sorry its 6.2.3.
I did #interface ethernet2 auto
I will do sysopt noproxyarp inside and sysopt noproxyarp dma tonight to test it. What will the proxyarp do?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 11860243
>sysopt noproxyarp dma

should be
sysopt noproxyarp DMZ

sysopt noproxyarp
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104255.html#wp1026942

ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."

Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.

The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.

To disable Proxy ARPs on the inside interface:

sysopt noproxyarp inside

0
 

Author Comment

by:mcfr6070
ID: 11861977
Would you suggest i disable it on the DMZ and inside but not the outside ? Great explanation, it really helped. I am boosting the points up.  thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11863671
I would keep it on the outside if you have a nat pool or of you have static translations.
0
 

Author Comment

by:mcfr6070
ID: 11864136
ok i disabled it, how will i know if this is working?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11864665
Make your desired changes, one at a time, and see if everything keeps working...
0
 

Author Comment

by:mcfr6070
ID: 11899424
I am trying to make my acls work they seem to be applying as soon as i run the xlate. I dont see a problem anymore. thanks Irmoore
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router Security Commands. 2 67
Cisco router 4400 and switch connection. 27 83
Port forwarding on ubuntu 8 46
Cisco EAP TLS, ACS and changing Root CA 4 79
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question