PIX and proxy-arp

Discussion in 'Cisco' started by YIgal K., Dec 9, 2003.

  1. YIgal K.

    YIgal K. Guest

    In one of our remote site , we implement a VPN on a PIX-506. We plan to add
    a 1700 router to the remote site LAN .We also planed to move the VPN end
    from the PIX to the 1700 router. This means that the peer IP will move from
    the PIX to the 1700 router .In order to achieve this i tried to use the
    proxy-arp feature in the PIX but this is not working to me.
    I can't get a routing change in the ISP router so i break the ISP network
    into 2 subnets.
    What else is missing ?
    Many thanks for any advise.

    Yigal K.
    YIgal K., Dec 9, 2003
    #1
    1. Advertising

  2. In article <1070989267.501562@sointsocks>, YIgal K. <> wrote:
    :In one of our remote site , we implement a VPN on a PIX-506. We plan to add
    :a 1700 router to the remote site LAN .We also planed to move the VPN end
    :from the PIX to the 1700 router. This means that the peer IP will move from
    :the PIX to the 1700 router .In order to achieve this i tried to use the
    :proxy-arp feature in the PIX but this is not working to me.

    proxy-arp on the PIX is normally enabled, and acts to allow the
    PIX to respond if another system ARPs for that IP address in the right
    broadcast domain.

    I am having trouble understanding how you could possibly mean to allow
    the 1700 to assume the peer IP address by using proxy arp ??

    :I can't get a routing change in the ISP router so i break the ISP network
    :into 2 subnets.

    That sentance suggests to me that you were trying to use either the
    1700 or the PIX as a bridge, with the same IP subnet on the inside
    and outside interfaces, and with the 1700 responding to the peer IP
    address. It is not possible to use the PIX as a bridge: the PIX
    MUST have different subnets for the inside and outside interfaces.

    Subnetting your public IP space is probably the easiest approach.
    There is an alternative approach involving using a private IP
    address range between the 1700 and the PIX; to do that properly requires
    using a bit of NAT on the 1700.


    If I recall correctly, the PIX 506 is faster than the 1700 series
    (though I'd want to double-check the speeds of the 1721 with
    VPN accelerator card). What is your reason for pushing your VPN
    endpoint to the 1700? Are you needing more than 25 tunnels?
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
    Walter Roberson, Dec 9, 2003
    #2
    1. Advertising

  3. YIgal K.

    YIgal K. Guest

    Thanks for your answer.

    We choose the option of sub-netting our public IP space. First part is for
    the PIX outside interface and second part is for the PIX inside interface
    and the 1700 router.

    The PIX has two different subnets on the inside and on the outside. Those
    subnets are configured on the ISP router as a one network and that why I
    think I should use the proxy-arp to be able to access the new IP of the 1700
    router.

    Proxy arp is enabled by default on the PIX (sysopt option) but still this is
    not working to me.



    Thanks,



    Yigal K.

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:br56se$htp$...
    > In article <1070989267.501562@sointsocks>, YIgal K. <>

    wrote:
    > :In one of our remote site , we implement a VPN on a PIX-506. We plan to

    add
    > :a 1700 router to the remote site LAN .We also planed to move the VPN end
    > :from the PIX to the 1700 router. This means that the peer IP will move

    from
    > :the PIX to the 1700 router .In order to achieve this i tried to use the
    > :proxy-arp feature in the PIX but this is not working to me.
    >
    > proxy-arp on the PIX is normally enabled, and acts to allow the
    > PIX to respond if another system ARPs for that IP address in the right
    > broadcast domain.
    >
    > I am having trouble understanding how you could possibly mean to allow
    > the 1700 to assume the peer IP address by using proxy arp ??
    >
    > :I can't get a routing change in the ISP router so i break the ISP network
    > :into 2 subnets.
    >
    > That sentance suggests to me that you were trying to use either the
    > 1700 or the PIX as a bridge, with the same IP subnet on the inside
    > and outside interfaces, and with the 1700 responding to the peer IP
    > address. It is not possible to use the PIX as a bridge: the PIX
    > MUST have different subnets for the inside and outside interfaces.
    >
    > Subnetting your public IP space is probably the easiest approach.
    > There is an alternative approach involving using a private IP
    > address range between the 1700 and the PIX; to do that properly requires
    > using a bit of NAT on the 1700.
    >
    >
    > If I recall correctly, the PIX 506 is faster than the 1700 series
    > (though I'd want to double-check the speeds of the 1721 with
    > VPN accelerator card). What is your reason for pushing your VPN
    > endpoint to the 1700? Are you needing more than 25 tunnels?
    > --
    > 'ignorandus (Latin): "deserving not to be known"'
    > -- Journal of Self-Referentialism
    YIgal K., Dec 10, 2003
    #3
  4. YIgal K.

    Rik Bain Guest

    On Wed, 10 Dec 2003 10:47:50 -0600, YIgal K. wrote:

    > Thanks for your answer.
    >
    > We choose the option of sub-netting our public IP space. First part is
    > for the PIX outside interface and second part is for the PIX inside
    > interface and the 1700 router.
    >
    > The PIX has two different subnets on the inside and on the outside.
    > Those subnets are configured on the ISP router as a one network and that
    > why I think I should use the proxy-arp to be able to access the new IP
    > of the 1700 router.
    >
    > Proxy arp is enabled by default on the PIX (sysopt option) but still
    > this is not working to me.
    >
    >
    >
    > Thanks,
    >
    >


    I think I follow you. What you need is a static translation for the
    subnet behind the pix. If the head end router sees the 2 subnets as one,
    then the pix will need to proxy arp for those addresses. There was a
    change somewhere in 6.3 that prevented the pix for proxy-arping for
    addresses not within the subnet of the configured interface, but I
    believe it went back to the old behavior (proxy arp for all translations)
    in 6.3.3.


    Do you have static nat translations built for the internal
    addresses/subnet?

    Rik Bain
    Rik Bain, Dec 10, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Illusion

    Cisco PIX 515E - Proxy ARP?

    Illusion, Jul 23, 2003, in forum: Cisco
    Replies:
    0
    Views:
    591
    Illusion
    Jul 23, 2003
  2. Illusion

    Cisco PIX 515E - Proxy ARP?

    Illusion, Jul 23, 2003, in forum: Cisco
    Replies:
    4
    Views:
    5,934
    Illusion
    Jul 24, 2003
  3. Bobby Kuzma
    Replies:
    6
    Views:
    2,809
    Rik Bain
    Dec 31, 2003
  4. Michael Letchworth

    PIX Nat0 proxy arp?

    Michael Letchworth, Dec 26, 2004, in forum: Cisco
    Replies:
    10
    Views:
    2,233
    Walter Roberson
    Jan 8, 2005
  5. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    512
    Darren Green
    Feb 20, 2009
Loading...

Share This Page