btec_bob
asked on
Cisco Firewall arp responses?
Here is the network structure.
I have been allocated 48 Public IP addresses out of a C class subnet by my ISP. The mask we are using is /24.
I have two sites which both have their own firewalls. The first site has an last octet address of .33/24 and the secondary site has .32/24. The firewall does NAT the private address space on the LAN
Our clients get assigned an IP address when they join us in building 1 and we create a NAT rule to point that to their private IP. After a period of time they move to building 2. At this time I would remove the Public IP address off firewall 1 and enter it in firewall 2 pointing to their new private address space within building 2.
The issue I am having is that some of the original IP addresses I was allocated are not moving. What I mean by that is that if you try to connect to them from the outside world it is The first site firewall who is handling the request. Yet it has no reference to that public IP address anywhere in its configuration. I suspected that there was a Static route set-up in my ISP's configuration but the assure there is not.
The question is...
What condition makes a firewall answer an arp request positively. Is it based on the IP addresses defined in the NAT table or is it by the subnet defined on the WAN interface?
I have been allocated 48 Public IP addresses out of a C class subnet by my ISP. The mask we are using is /24.
I have two sites which both have their own firewalls. The first site has an last octet address of .33/24 and the secondary site has .32/24. The firewall does NAT the private address space on the LAN
Our clients get assigned an IP address when they join us in building 1 and we create a NAT rule to point that to their private IP. After a period of time they move to building 2. At this time I would remove the Public IP address off firewall 1 and enter it in firewall 2 pointing to their new private address space within building 2.
The issue I am having is that some of the original IP addresses I was allocated are not moving. What I mean by that is that if you try to connect to them from the outside world it is The first site firewall who is handling the request. Yet it has no reference to that public IP address anywhere in its configuration. I suspected that there was a Static route set-up in my ISP's configuration but the assure there is not.
The question is...
What condition makes a firewall answer an arp request positively. Is it based on the IP addresses defined in the NAT table or is it by the subnet defined on the WAN interface?
ASKER
If I disable proxy arp will the firewall only respond for its own interface WAN IP?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Both firewalls may answer up for all hosts within the subnet masks of the outside interface, plus any static NAT xlates that you have defined.
You may have to disable proxyarp on the outside interfaces, but that could break multiple static nats.