Cisco Firewall arp responses?

Posted on 2008-11-11
Last Modified: 2012-05-05
Here is the network structure.
I have been allocated 48 Public IP addresses out of a C class subnet by my ISP. The mask we are using is /24.
I have two sites which both have their own firewalls. The first site has an last octet address of .33/24 and the secondary site has .32/24. The firewall does NAT the private address space on the LAN
Our clients get assigned an IP address when they join us in building 1 and we create a NAT rule to point that to their private IP. After a period of time they move to building 2. At this time I would remove the Public IP address off firewall 1  and enter it in firewall 2 pointing to their new private address space within building 2.

The issue I am having is that some of the original IP addresses I was allocated are not moving. What I mean by that is that if you try to connect to them from the outside world it is The first site firewall who is handling the request. Yet it has no reference to that public IP address anywhere in its configuration. I suspected that there was a Static route set-up in my ISP's configuration but the assure there is not.

The question is...
What condition makes a firewall answer an arp request positively. Is it based on the IP addresses defined in the NAT table or is it by the subnet defined on the WAN interface?

Question by:btec_bob
    LVL 79

    Expert Comment

    Proxy ARP.
    Both firewalls may answer up for all hosts within the subnet masks of the outside interface, plus any static NAT xlates that you have defined.
    You may have to disable proxyarp on the outside interfaces, but that could break multiple static nats.

    Author Comment

    If I disable proxy arp will the firewall only respond for its own interface WAN IP?
    LVL 79

    Assisted Solution

    Correct. That is what it is supposed to do. So all dynamic nat using the interface still works, but statics using a different IP do not.


    Accepted Solution

    Sorry for the delay but the issue resolved itself. Currently the suspicion is that it was down to arp cache and that it took time for the switch was interconnecting the two firewalls to realize that the IP addresses had shifted. In other words that they were not all being managed by the one firewall.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now