Wow - that's kind of weird. In normal operation, I can't think of anything that would cause what you're describing except one thing - your DMZ is ethernet-connected somehow to your internal network. Check for rogue hubs, hosts that are double homed (especially Sun boxes), that sort of thing.
In _abnormal_ operation, the best theory I can come up with without a sniffer is that you have DMZ hosts that think they're still on the internal network (they haven't had their subnet masks changed from 255.0.0.0, probably). They are arping for their buddies on the internal network (they never write, they never call...) and the PIX is sending proxy arps to the DMZ. After that, something weird must be happening. It _shouldn't_ be some weird proxy-arp reflection thing, because the proxy arp sent to the DMZ interface would use the PIXs MAC address. It could be some weird bug, or it could be something different altogether. I would sniff the DMZ and look for something sending ARP replies to the DMZ network advertising those addresses. It could be something that thinks it's a router which is sending "correction" replies when the PIX proxy arps. In any case, my money is on either incorrect subnet masks in the DMZ or that someone has plugged the DMZ into the same switch/hub/double homed host as the internal network. I'd be interested to know what the solution is... Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of kk downing > Sent: Monday, May 13, 2002 8:30 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: PIX internal to DMZ problems > > > This is what I am finding I think I might have > isolated this. When I check the arp cache on the PIX > it show this: > > ujo(config)# show arp > outside 165.88.117.6 09c0.5a90.ff3c > outside 165.88.117.1 09c0.5a90.ff3c > inside 10.0.0.3 0660.70ff.20f2 > inside 10.0.0.2 a070.d0c6.005b > DMZ 10.0.0.3 0660.70ff.20f2 > DMZ 10.0.0.2 a070.d0c6.005b > > The first two are our ISPs router. > The last two entries are machines rightfully on our > internal network. It looks like the PIX is seeing the > mac addresses on its DMZ interfaces in addition to the > inside interfacae . Eventually the "show arp" output > will list other internal host's MAC addresses on the > DMZ interface as well. So its arping them twice once > for the inside interface and once for the DMZ > interface. If I clear the arp cache eventually the > internal hosts will be added again. Eventaully > machines on the internal network will lose their > internet connection until a "clear arp" and "clear > xlate" are issue to the PIX. I was playing around with > this command: > > sysopt noproxyarp DMZ > > This seems to keep DMZ interface from arping the > internal hosts. My question is what is causing this? > Something seems amiss here. Any input would be greatly appreciated. > > Thanks [...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
