Solved

Not sure if there is a bug in 6.3.3 or my pix????

Posted on 2004-08-21
9
1,281 Views
Last Modified: 2010-05-18
I configured the pix to do pat from inside to outside and it worked great. The next day I configured 8 access-lists to the inside and outside interface. I also put an ip address on the dmz and did a no shut. Pat stopped working and none of the access-listed worked. I did a clear xlate several times. I deleted those access-lists I configured. Still did not work. So, I back out the changes and used the original setup I have, which I knew worked. I did another clear xlate but pat still did not work. I unplugged the cat5 from the dmz on the pix and notice that the 100 MPS light was still on. Still nothing was working. Finally, after two hours I reloaded the pix and when it came back up pat started working? In addition the 100MPS on the DMZ light when off?

Are you suppose to reboot the pix after applying access-list or changing ips on any of the interfaces?
Is the 100MPS light suppose to turn off when you unplug the cable?
Please advice

Thank you
0
Comment
Question by:mcfr6070
  • 4
  • 4
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11859225
6.3.3 is still in beta release.. the latest stable release is 6.2.3



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11859862
In version 6.3.1 yes, there was a bug that required reboot to make some changes take affect, but I've never seen this behavior in 6.3.3.
You may have an issue with Proxy arp if there are any other routers around the network. You can disable proxy arp on the inside interface and the dmz interface
sysopt noproxyarp inside
sysopt noproxyarp dma

>and did a no shut
How did you do the no shut? Did you set the interface speed, or leave it on auto?

pix(config)#interface ethernet2 auto
or

pix(config)#interface ethernet2 100
0
 

Author Comment

by:mcfr6070
ID: 11860153
sorry its 6.2.3.
I did #interface ethernet2 auto
I will do sysopt noproxyarp inside and sysopt noproxyarp dma tonight to test it. What will the proxyarp do?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 11860243
>sysopt noproxyarp dma

should be
sysopt noproxyarp DMZ

sysopt noproxyarp
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a0080104255.html#wp1026942

ARP (Address Resolution Protocol) is a layer two protocol that resolves an IP address to a physical address, also called a Media Access Controller (MAC) address. A host sends an ARP request asking "Who is this IP?" The device owning the IP should reply with "Hey, I am the one, here's my MAC address."

Proxy ARP refers to a gateway device, in this case, the firewall, "impersonating" an IP address and returning its own MAC address to answer an ARP request for another device.

The firewall builds a table from responses to ARP requests to map physical addresses to IP addresses. A periodic ARP function is enabled in the default configuration. The presence of entries in the ARP cache indicates that the firewall has network connectivity. The show arp command lists the entries in the ARP table. Usually, administrators do not need to manually manipulate ARP entries on the firewall. This is done only when troubleshooting or solving network connectivity problems.

The arp command is used to add a permanent entry for host on a network. If one host is exchanged for another host with the same IP address then the "clear arp" command can be used to clear the ARP cache on the PIX. Alternatively, you can wait for the duration specified with the arp timeout command to expire and the ARP table rebuilds itself automatically with the new host information.

The sysopt noproxyarp command is used to disable Proxy ARPs on an interface from the command-line interface. By default, the PIX Firewall responds to ARP requests directed at the PIX Firewall's interface IP addresses as well as to ARP requests for any static or global address defined on the PIX Firewall interface (which are proxy ARP requests).

The sysopt noproxyarp if_name command lets you disable proxy ARP request responses on a PIX Firewall interface. However, this command does not disable (non-proxy) ARP requests on the PIX Firewall interface itself. Consequently, if you use the sysopt noproxyarp if_name command, the PIX Firewall no longer responds to ARP requests for the addresses in the static, global, and nat 0 commands for that interface but does respond to ARP requests for its interface IP addresses.

To disable Proxy ARPs on the inside interface:

sysopt noproxyarp inside

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:mcfr6070
ID: 11861977
Would you suggest i disable it on the DMZ and inside but not the outside ? Great explanation, it really helped. I am boosting the points up.  thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11863671
I would keep it on the outside if you have a nat pool or of you have static translations.
0
 

Author Comment

by:mcfr6070
ID: 11864136
ok i disabled it, how will i know if this is working?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11864665
Make your desired changes, one at a time, and see if everything keeps working...
0
 

Author Comment

by:mcfr6070
ID: 11899424
I am trying to make my acls work they seem to be applying as soon as i run the xlate. I dont see a problem anymore. thanks Irmoore
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now