Not sure if there is a bug in 6.3.3 or my pix????

I configured the pix to do pat from inside to outside and it worked great. The next day I configured 8 access-lists to the inside and outside interface. I also put an ip address on the dmz and did a no shut. Pat stopped working and none of the access-listed worked. I did a clear xlate several times. I deleted those access-lists I configured. Still did not work. So, I back out the changes and used the original setup I have, which I knew worked. I did another clear xlate but pat still did not work. I unplugged the cat5 from the dmz on the pix and notice that the 100 MPS light was still on. Still nothing was working. Finally, after two hours I reloaded the pix and when it came back up pat started working? In addition the 100MPS on the DMZ light when off?

Are you suppose to reboot the pix after applying access-list or changing ips on any of the interfaces?
Is the 100MPS light suppose to turn off when you unplug the cable?
Please advice

Thank you
Who is Participating?
lrmooreConnect With a Mentor Commented:
>sysopt noproxyarp dma

should be
sysopt noproxyarp DMZ

sysopt noproxyarp

ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."

Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.

The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.

To disable Proxy ARPs on the inside interface:

sysopt noproxyarp inside

6.3.3 is still in beta release.. the latest stable release is 6.2.3

In version 6.3.1 yes, there was a bug that required reboot to make some changes take affect, but I've never seen this behavior in 6.3.3.
You may have an issue with Proxy arp if there are any other routers around the network. You can disable proxy arp on the inside interface and the dmz interface
sysopt noproxyarp inside
sysopt noproxyarp dma

>and did a no shut
How did you do the no shut? Did you set the interface speed, or leave it on auto?

pix(config)#interface ethernet2 auto

pix(config)#interface ethernet2 100
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

mcfr6070Author Commented:
sorry its 6.2.3.
I did #interface ethernet2 auto
I will do sysopt noproxyarp inside and sysopt noproxyarp dma tonight to test it. What will the proxyarp do?
mcfr6070Author Commented:
Would you suggest i disable it on the DMZ and inside but not the outside ? Great explanation, it really helped. I am boosting the points up.  thanks
I would keep it on the outside if you have a nat pool or of you have static translations.
mcfr6070Author Commented:
ok i disabled it, how will i know if this is working?
Make your desired changes, one at a time, and see if everything keeps working...
mcfr6070Author Commented:
I am trying to make my acls work they seem to be applying as soon as i run the xlate. I dont see a problem anymore. thanks Irmoore
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.