I recently removed a PIX 520 replaced it with a PIX 515. The problem was that the PIX's NAT address did not update on the router's arp cache (which is on the PIX's outside subnet). Of course, using the command "clear arp-cache" on the router fixes the problem. The question is, if the router updated the PIX's outside address arp cache entry (after a ping or two) why wouldn't the router update the NAT address arp cache entry? Below is a more detailed discussion (the repetition in some places may seem excessive but I find it helps some people). The .22 address was used by the PIX's NAT pool for ping from the inside workstation to the router and the .7 address in the arp cache is the PIX's outside interface (which is a result of pinging the router from the PIX's outside interface). PIX NAT address = 209.247.48.22 PIX outside = 209.247.48.7 Again, the partial router arp cache shown below is the result of two different pings. 1. Ping the router from the PIX's outside interface (.7) 2. Ping the router from a workstation on the PIX's inside subnet. The packet goes from the workstation to the inside PIX interface, out of the PIX's outside interface and to the router (and returns, if ping is successful). router#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 209.247.48.22 3 00e0.b600.8f13 ARPA Ethernet0/1 Internet 209.247.48.7 72 00e0.b600.8f13 ARPA Ethernet0/1 I swapped the PIX 520 with a PIX 515 (identical PIX config). See the second output below. 1. I first pinged the router's interface from the PIX 515, which worked fine, and you can see the Hardware Address changed for the router's .7 entry. 2. However, pinging from the workstation on the PIX's inside subnet to anything outside the PIX will not work. The router refuses to change its arp cache for .22 (you must use "clear arp-cache"). Why? PIX 515 outside = 209.247.48.7 (instead of PIX 520) router#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 209.247.48.22 5 00e0.b600.8f13 ARPA Ethernet0/1 Internet 209.247.48.7 1 0050.54ff.0f23 ARPA Ethernet0/1 To restate, the question: although I recognize that the router has an arp-cache age time of 4 hours, I don't see why it won't update the arp cache when a new packet comes in with the same .22 IP address and a different hardware address, like it did for the .7 IP address from the PIX outside interface. My readings on CCO regarding arp have not illuminated this problem for me. -- Jonathan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=3094&t=3094 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
