arp-in request dropped (non-adjacent)

Discussion in 'Cisco' started by Raymond Doetjes, Apr 2, 2004.

  1. Hi there,

    I have a small problem with a PIX506E which is completely new. Maybe due
    to the OS built which is from Aug 2003 and the latest we used to have
    was Mar 2003.

    I have an outside ip address that is 80.126.x.y
    ip address outside 80.126.x.y

    In order to reach the internet the PIX has to send all traffic to
    10.0.0.138 (the ADSL modem, it's called SIP_SPOOF). SIP_SPOOF allows a
    user of an Alcatel ADSL modem to let the modem dial (otherwise we need
    to use PPTP and that sucks) and still get the static IP on your device
    behind the Alacatel.

    So I need to set up a route:
    route add 0.0.0.0 0.0.0.0 10.0.0.138
    route outside 10.0.0.138 255.255.255.255 10.0.0.138 <----This was the
    trick that used to work with the releases up to Mar 2003

    Now I noticed that the PIX can't initially reach the 10.0.0.138, because
    the incomming arp request gets blocked by a strange message arp-in:
    Dropping request at outside unsolicited non-adjacent from 10.0.0.138

    So all I need to do is allow arp request from 10.0.0.138 but how? Even a
    n access-list permit ip host 10.0.0.138 any doesn't work.

    An other solution would be to 'clone' the interface, so that I can set a
    second ip address onto the outside interface, as you can with Cisco
    routers by saying secondary. But I don't know how to do that on a PIX,
    anyone?

    Raymond
    Raymond Doetjes, Apr 2, 2004
    #1
    1. Advertising

  2. Raymond Doetjes

    Rik Bain Guest

    On Fri, 02 Apr 2004 16:05:49 -0600, Raymond Doetjes wrote:

    > Hi there,
    >
    > I have a small problem with a PIX506E which is completely new. Maybe due
    > to the OS built which is from Aug 2003 and the latest we used to have
    > was Mar 2003.
    >
    > I have an outside ip address that is 80.126.x.y ip address outside
    > 80.126.x.y
    >
    > In order to reach the internet the PIX has to send all traffic to
    > 10.0.0.138 (the ADSL modem, it's called SIP_SPOOF). SIP_SPOOF allows a
    > user of an Alcatel ADSL modem to let the modem dial (otherwise we need
    > to use PPTP and that sucks) and still get the static IP on your device
    > behind the Alacatel.
    >
    > So I need to set up a route:
    > route add 0.0.0.0 0.0.0.0 10.0.0.138
    > route outside 10.0.0.138 255.255.255.255 10.0.0.138 <----This was the
    > trick that used to work with the releases up to Mar 2003
    >
    > Now I noticed that the PIX can't initially reach the 10.0.0.138, because
    > the incomming arp request gets blocked by a strange message arp-in:
    > Dropping request at outside unsolicited non-adjacent from 10.0.0.138
    >
    > So all I need to do is allow arp request from 10.0.0.138 but how? Even a
    > n access-list permit ip host 10.0.0.138 any doesn't work.
    >
    > An other solution would be to 'clone' the interface, so that I can set a
    > second ip address onto the outside interface, as you can with Cisco
    > routers by saying secondary. But I don't know how to do that on a PIX,
    > anyone?
    >
    > Raymond


    Sounds like a major hack, but let me throw a few things out that might
    help.

    A:
    Somewhere around 6.3 (6.3.1 or 6.3.2) the pix would not proxy arp for
    addresses (for which it has a static nat configured) that were not on
    the same subnet as the interface the arp was received on.
    This "broke" alot of configs where people we tricking the pix into
    seeing both subnets of an adjacent router with secondary addresses
    configured. 6.3.3 restored the behavior seen before the change.

    B:
    If you set the pix to use its own ip address for the next hop address, it
    will arp for the destination address. If the adjacent router supports
    proxy arp, then it will reply to the pix with it's own MAC address and the
    packet will be forwarded.

    HTH,

    Rik Bain
    Rik Bain, Apr 3, 2004
    #2
    1. Advertising

  3. Rik Bain wrote:
    > On Fri, 02 Apr 2004 16:05:49 -0600, Raymond Doetjes wrote:
    >
    >
    >>Hi there,
    >>
    >>I have a small problem with a PIX506E which is completely new. Maybe due
    >>to the OS built which is from Aug 2003 and the latest we used to have
    >>was Mar 2003.
    >>
    >>I have an outside ip address that is 80.126.x.y ip address outside
    >>80.126.x.y
    >>
    >>In order to reach the internet the PIX has to send all traffic to
    >>10.0.0.138 (the ADSL modem, it's called SIP_SPOOF). SIP_SPOOF allows a
    >>user of an Alcatel ADSL modem to let the modem dial (otherwise we need
    >>to use PPTP and that sucks) and still get the static IP on your device
    >>behind the Alacatel.
    >>
    >>So I need to set up a route:
    >>route add 0.0.0.0 0.0.0.0 10.0.0.138
    >>route outside 10.0.0.138 255.255.255.255 10.0.0.138 <----This was the
    >>trick that used to work with the releases up to Mar 2003
    >>
    >>Now I noticed that the PIX can't initially reach the 10.0.0.138, because
    >>the incomming arp request gets blocked by a strange message arp-in:
    >>Dropping request at outside unsolicited non-adjacent from 10.0.0.138
    >>
    >>So all I need to do is allow arp request from 10.0.0.138 but how? Even a
    >>n access-list permit ip host 10.0.0.138 any doesn't work.
    >>
    >>An other solution would be to 'clone' the interface, so that I can set a
    >>second ip address onto the outside interface, as you can with Cisco
    >>routers by saying secondary. But I don't know how to do that on a PIX,
    >>anyone?
    >>
    >>Raymond

    >
    >
    > Sounds like a major hack, but let me throw a few things out that might
    > help.
    >
    > A:
    > Somewhere around 6.3 (6.3.1 or 6.3.2) the pix would not proxy arp for
    > addresses (for which it has a static nat configured) that were not on
    > the same subnet as the interface the arp was received on.
    > This "broke" alot of configs where people we tricking the pix into
    > seeing both subnets of an adjacent router with secondary addresses
    > configured. 6.3.3 restored the behavior seen before the change.
    >
    > B:
    > If you set the pix to use its own ip address for the next hop address, it
    > will arp for the destination address. If the adjacent router supports
    > proxy arp, then it will reply to the pix with it's own MAC address and the
    > packet will be forwarded.
    >
    > HTH,
    >
    > Rik Bain


    Thanks Rik,

    I will give this a try I already adjusted the route also to 10.0.0.138
    255.255.255.255 80.126.x.x it still screemed in the debug arp mode about
    dropping the arp. But I will 'dive' into that Alcatel to see if I can
    enable proxyarp there. I was also already thinking of 'cheating' them
    both with permanent arp entries.

    Raymond
    Raymond Doetjes, Apr 3, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    15
    Views:
    10,287
  2. Dennis Olvany
    Replies:
    0
    Views:
    512
    Dennis Olvany
    Jun 30, 2007
  3. Bryan Souster
    Replies:
    6
    Views:
    285
    Mainlander
    Nov 3, 2003
  4. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    504
    Darren Green
    Feb 20, 2009
  5. Seamus J. Wilson

    Moving data between two adjacent PC

    Seamus J. Wilson, Aug 4, 2009, in forum: Computer Support
    Replies:
    12
    Views:
    526
    Caulfield Man
    Aug 6, 2009
Loading...

Share This Page