I was moving some app servers to new public IP addresses. After the move the websites were not available. Everything looked correct on the firewall. When I ran a capture on the firewall I saw that packets were not making it to the firewall. The provider put in some static routes as a temp fix. Later we removed the temp fix and reloaded the firewall. It didn't resolve the issue.
I found the setting "sysopt noproxyarp outside" in the config on the firewall.
I ran "no sysopt noproxyarp outside" and I was able to access the websites.
From Cisco documentation
"Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host."
I idea who put this setting in and why it wasn't causing an issue before. Anyway issue is resolved now.
No comments:
Post a Comment