I was moving some app servers to new public IP addresses. After the move the websites were not available. Everything looked correct on the firewall. When I ran a capture on the firewall I saw that packets were not making it to the firewall. The provider put in some static routes as a temp fix. Later we removed the temp fix and reloaded the firewall. It didn't resolve the issue.
I found the setting "sysopt noproxyarp outside" in the config on the firewall.
I ran "no sysopt noproxyarp outside" and I was able to access the websites.
From Cisco documentation
"Proxy ARP allows the security appliance to reply to an ARP request on behalf of hosts behind it. It does this by replying to ARP requests for the static mapped addresses of those hosts. The security appliance responds to the request with its own MAC address and then forwards the IP packets on to the appropriate inside host."
I idea who put this setting in and why it wasn't causing an issue before. Anyway issue is resolved now.
Showing posts with label pix. Show all posts
Showing posts with label pix. Show all posts
Monday, 17 June 2013
Friday, 5 April 2013
tftp the config file off a cisco pix
TFTP'ing the config off an old PIX is a bit different
First setup your TFTP server:
#tftp-server inside 192.168.1.50 /pix-confg
inside - the interface to send the config out
192.168.1.50 - the IP address where I have a tftp server running (my desktop with tftpd)
/pix config - the destination file name
Run the TFTP
#write net 192.168.1.50:
First setup your TFTP server:
#tftp-server inside 192.168.1.50 /pix-confg
inside - the interface to send the config out
192.168.1.50 - the IP address where I have a tftp server running (my desktop with tftpd)
/pix config - the destination file name
Run the TFTP
#write net 192.168.1.50:
Wednesday, 12 September 2012
Subscribe to:
Posts (Atom)