Re: PIX internal to DMZ problems

Sun, 12 May 2002 23:14:32 -0700 

This is what I am finding I think I might have
isolated this. When I check the arp cache on the PIX
it show this:

ujo(config)# show arp
        outside 165.88.117.6 09c0.5a90.ff3c
        outside 165.88.117.1 09c0.5a90.ff3c
        inside 10.0.0.3 0660.70ff.20f2
        inside 10.0.0.2 a070.d0c6.005b
        DMZ 10.0.0.3 0660.70ff.20f2
        DMZ 10.0.0.2 a070.d0c6.005b

The first two are our ISPs router.
The last two entries are machines rightfully on our
internal network. It looks like the PIX is seeing the
mac addresses on its DMZ interfaces in addition to the
inside interfacae . Eventually the "show arp" output
will list other internal host's MAC addresses on the
DMZ interface as well. So its arping them twice once
for the inside interface and once for the DMZ
interface. If I clear the arp cache eventually the
internal hosts will be added again. Eventaully
machines on the internal network will lose their
internet connection until a "clear arp" and "clear
xlate" are issue to the PIX. I was playing around with
this command:

sysopt noproxyarp DMZ

This seems to keep DMZ interface from arping the
internal hosts. My question is what is causing this?
Something seems amiss here. Any input would be greatly
appreciated.

Thanks



--- Dirk Pfau <[EMAIL PROTECTED]> wrote:
> kk downing wrote:
> 
> > Hello,
> > I have the following line in my config in order
> that
> > the internal hosts(10.0.0.0 net) do not get NAT'd
> when
> > trying to access hosts on our DMZ segment:
> >
> > static (inside, DMZ) 10.0.0.0 10.0.0.0 netmask
> > 255.255.255.0 0 0
> >
> > Now if I try to ssh from hostA(10.0.0.2) to
> > hostB(10.0.0.3) I will get the following error
> logged
> > on the PIX:
> >
> > 106001: Inbound TCP connection denied from
> > 10.0.0.2/1740 to 10.0.0.3/22 flags SY
> > N  on interface DMZ
> 
> i think, there is something wrong at your network
> configuration. best would be
> publishing the whole configuration. at this few
> lines we only can guess. hostA
> and hostB are in the same network, but at different
> interfaces?  what did you
> do?
> 
> redards
> 
> dirk
> 
> --
> ISION Internet AG
> Dirk Pfau
> IP Network / iSecurity
> Harburger Schlossstr. 1
> D-21079 Hamburg
> 
> Fon: +49 40 77175-538
> 
> eMail: [EMAIL PROTECTED]
> Web: http://www.ision.net
> 
> 
> 


__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to