• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 561
  • Last Modified:

Cisco Firewall arp responses?

Here is the network structure.
I have been allocated 48 Public IP addresses out of a C class subnet by my ISP. The mask we are using is /24.
I have two sites which both have their own firewalls. The first site has an last octet address of .33/24 and the secondary site has .32/24. The firewall does NAT the private address space on the LAN
Our clients get assigned an IP address when they join us in building 1 and we create a NAT rule to point that to their private IP. After a period of time they move to building 2. At this time I would remove the Public IP address off firewall 1  and enter it in firewall 2 pointing to their new private address space within building 2.

The issue I am having is that some of the original IP addresses I was allocated are not moving. What I mean by that is that if you try to connect to them from the outside world it is The first site firewall who is handling the request. Yet it has no reference to that public IP address anywhere in its configuration. I suspected that there was a Static route set-up in my ISP's configuration but the assure there is not.

The question is...
What condition makes a firewall answer an arp request positively. Is it based on the IP addresses defined in the NAT table or is it by the subnet defined on the WAN interface?


0
btec_bob
Asked:
btec_bob
  • 2
  • 2
2 Solutions
 
lrmooreCommented:
Proxy ARP.
Both firewalls may answer up for all hosts within the subnet masks of the outside interface, plus any static NAT xlates that you have defined.
You may have to disable proxyarp on the outside interfaces, but that could break multiple static nats.
0
 
btec_bobAuthor Commented:
If I disable proxy arp will the firewall only respond for its own interface WAN IP?
0
 
lrmooreCommented:
Correct. That is what it is supposed to do. So all dynamic nat using the interface still works, but statics using a different IP do not.

0
 
btec_bobAuthor Commented:
Sorry for the delay but the issue resolved itself. Currently the suspicion is that it was down to arp cache and that it took time for the switch was interconnecting the two firewalls to realize that the IP addresses had shifted. In other words that they were not all being managed by the one firewall.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now