Cisco Firewall arp responses?

Here is the network structure.
I have been allocated 48 Public IP addresses out of a C class subnet by my ISP. The mask we are using is /24.
I have two sites which both have their own firewalls. The first site has an last octet address of .33/24 and the secondary site has .32/24. The firewall does NAT the private address space on the LAN
Our clients get assigned an IP address when they join us in building 1 and we create a NAT rule to point that to their private IP. After a period of time they move to building 2. At this time I would remove the Public IP address off firewall 1  and enter it in firewall 2 pointing to their new private address space within building 2.

The issue I am having is that some of the original IP addresses I was allocated are not moving. What I mean by that is that if you try to connect to them from the outside world it is The first site firewall who is handling the request. Yet it has no reference to that public IP address anywhere in its configuration. I suspected that there was a Static route set-up in my ISP's configuration but the assure there is not.

The question is...
What condition makes a firewall answer an arp request positively. Is it based on the IP addresses defined in the NAT table or is it by the subnet defined on the WAN interface?


btec_bobIT Services DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Proxy ARP.
Both firewalls may answer up for all hosts within the subnet masks of the outside interface, plus any static NAT xlates that you have defined.
You may have to disable proxyarp on the outside interfaces, but that could break multiple static nats.
0
btec_bobIT Services DirectorAuthor Commented:
If I disable proxy arp will the firewall only respond for its own interface WAN IP?
0
lrmooreCommented:
Correct. That is what it is supposed to do. So all dynamic nat using the interface still works, but statics using a different IP do not.

0
btec_bobIT Services DirectorAuthor Commented:
Sorry for the delay but the issue resolved itself. Currently the suspicion is that it was down to arp cache and that it took time for the switch was interconnecting the two firewalls to realize that the IP addresses had shifted. In other words that they were not all being managed by the one firewall.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.