Cisco PIX 515E - Proxy ARP?

Discussion in 'Cisco' started by Illusion, Jul 23, 2003.

  1. Illusion

    Illusion Guest

    (Apologies if this is a duplicate, my news server is playing up)

    Hi,

    I am currently configuring a PIX 515E to replace our Linux/IPTables based
    firewall. This is my first experience with a PIX. On our Linux Firewall I
    have 3 NIC's, 1 connected to external router, 1 into DMZ switch and 1 into
    the internal network.

    On our Linux box I assigned an IP from our external subnet, say
    100.100.100.86/29 for example to both the external NIC and the DMZ NIC. Then
    I would delete the 100.100.100.80/29 route on the external NIC and add a
    route on the external NIC such as:

    route add 100.100.100.81 dev eth2 <.81 is the Internet router>

    So the external NIC knows how to get to our Internet router, the DMZ NIC
    knows that the DMZ subnet hangs off it. Then I enable Proxy ARP so that the
    external NIC answers ARP requests for the DMZ IP's so that the Internet
    router can communicate with them.

    I've hit a wall with the PIX at the moment as it does not seem to like me
    assigning the same IP address/subnet to more than 1 ethernet port.

    If anyone has any suggestions it would be much appreciated.

    TIA, Dan
     
    Illusion, Jul 23, 2003
    #1
    1. Advertising

  2. Illusion

    Chris Guest


    >
    > I've hit a wall with the PIX at the moment as it does not seem to like me
    > assigning the same IP address/subnet to more than 1 ethernet port.
    >
    > If anyone has any suggestions it would be much appreciated.
    >
    > TIA, Dan
    >
    >


    If you are using a DMZ then you assign an RFC1918 address range to that
    network and then NAT traffic to the servers using the 'static' command.

    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918
    6a0080094aad.shtml

    Chris.
     
    Chris, Jul 23, 2003
    #2
    1. Advertising

  3. In article <>,
    Illusion <> wrote:
    :On our Linux box I assigned an IP from our external subnet, say
    :100.100.100.86/29 for example to both the external NIC and the DMZ NIC. Then
    :I would delete the 100.100.100.80/29 route on the external NIC and add a
    :route on the external NIC such as:

    :route add 100.100.100.81 dev eth2 <.81 is the Internet router>

    :So the external NIC knows how to get to our Internet router, the DMZ NIC
    :knows that the DMZ subnet hangs off it. Then I enable Proxy ARP so that the
    :external NIC answers ARP requests for the DMZ IP's so that the Internet
    :router can communicate with them.

    :I've hit a wall with the PIX at the moment as it does not seem to like me
    :assigning the same IP address/subnet to more than 1 ethernet port.

    Someone else indicated that you should use an internal DMZ subnet
    and NAT; you indicated that you would prefer not to do so. Your choice,
    so here's the ugly hack:

    Put a router inside the DMZ. Assign an IP address range [e.g. an
    RFC1918 private range] on the router outside interface, and plug it
    into the PIX DMZ with the DMZ configured to be in the same IP address range.
    Configure the inside router to route the public IP range, and plug your
    devices into them. This will, unfortunately, consume an IP address in
    the range as the router's presence in that subnet. This IP address is
    the one you must set those devices inside the DMZ to use as their
    gateway. On the inside router, you should in theory set a host route for
    the PIX outside address pointing through the PIX DMZ interface private
    address, but it turns out that you can never talk to that address anyhow
    so you can omit this step.

    Now, static (dmz,outside) the public IP addresses to themselves. This will
    allow the the PIX to proxy arp for those addresses on the outside
    interface, and will allow the addresses to "punch through" to the DMZ.
    Add host routes pointing each of those IP addresses to the inside router's
    private IP address.

    The key here is that the host routes pointing to the DMZ router override the
    network route on the outside interface; all of the rest is just
    getting the gateway address working.

    If it happens that ALL of the addresses you need to punch through to
    the DMZ are PCs running relatively new Windows, then it turns out that you
    can skip the inside router. It turns out that Windows will assume that
    any assigned gateway IP can be reached from the local segment, even
    when the gateway IP is in a different subnet. This breaks an RFC or two,
    but it works for the last couple of Windows versions... and may well
    stop working with any given Windows update.


    To answer a potential question: No, there is NO WAY to get the PIX
    to act as a bridge: that would severely break the PIX security model.
    --
    Sub-millibarn resolution bio-hyperdimensional plasmatic space
    polyimaging is just around the corner. -- Corry Lee Smith
     
    Walter Roberson, Jul 24, 2003
    #3
  4. In article <>,
    Illusion <> wrote:
    :Yep I see your point but unfortuantely we dont have a
    :spare router to use.

    For this purpose, you could probably get by on any of the
    SOHO routers aimed at the cable/xDSL market, such as a Netgear RT311
    or most any of the products shown at
    http://www.electronicgadgetdepot.com/d/DSL_Routers/DSL_Routers_Items_R.htm


    :It might be possible for us to have another routable
    :subnet assigned by our ISP so I could then have 1 subnet on the outside
    :interface and one on the dmz.

    That would certainly work technically. The PIX is perfectly cable
    of handling multiple subnets that are routed to it.

    :If not I'll just go with the static NAT
    :mappings, but I really like to stay away from NAT as much as possible.

    Better get used to it. The ARIN procedures for requesting address
    space expect you to prove that you cannot make do with less address
    space by using NAT/PAT.

    There are certain protocols that do not work with NAT/PAT, but
    ARIN won't accept "I don't like NAT".
    --
    Pity the poor electron, floating around minding its own business for
    billions of years; and then suddenly Bam!! -- annihilated just so
    you could read this posting.
     
    Walter Roberson, Jul 24, 2003
    #4
  5. Illusion

    Illusion Guest

    Walter Roberson wrote:

    > Better get used to it. The ARIN procedures for requesting address
    > space expect you to prove that you cannot make do with less address
    > space by using NAT/PAT.
    >
    > There are certain protocols that do not work with NAT/PAT, but
    > ARIN won't accept "I don't like NAT".


    Yep its unfortunate. I'm all for using NAT for outbound access for internal
    network clients, but it just seems a bit messy the other way round.

    Thanks for your help.

    Dan
     
    Illusion, Jul 24, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Illusion

    Cisco PIX 515E - Proxy ARP?

    Illusion, Jul 23, 2003, in forum: Cisco
    Replies:
    0
    Views:
    619
    Illusion
    Jul 23, 2003
  2. YIgal K.

    PIX and proxy-arp

    YIgal K., Dec 9, 2003, in forum: Cisco
    Replies:
    3
    Views:
    5,327
    Rik Bain
    Dec 10, 2003
  3. Bobby Kuzma
    Replies:
    6
    Views:
    2,850
    Rik Bain
    Dec 31, 2003
  4. Michael Letchworth

    PIX Nat0 proxy arp?

    Michael Letchworth, Dec 26, 2004, in forum: Cisco
    Replies:
    10
    Views:
    2,263
    Walter Roberson
    Jan 8, 2005
  5. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    558
    Darren Green
    Feb 20, 2009
Loading...

Share This Page