I have a switched ethernet network with 25 PCs, 2 Windows servers and an IBM AS/400. After making a change to the PIX last night to re-establish an old VPN connection, users complained of getting randomly "terminated" from their AS/400 terminal sessions. When I compared the old PIX 506 config with the new one, I found the only difference was that I left out "sysopt noproxyarp inside." Based on Cisco's explanation of that command, I can't imagine why it's presence or absence would relate to the symptoms I've described. Can anyone help me understand this? Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Proxy ARP Problem?
- Thread starter JSKoval
- Start date
NetworkGhost
IS-IT--Management
Show your most recent config. Also post the IP (internal) of your AS400
- Thread starter
- #3
The AS/400 is 10.0.0.9. [Is it possible that when the AS/400 ARPs for an address, it gets two answers--one from the PC and a proxy answer from the PIX--and that causes it to get confused and disconnect from the PC??]
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname GML-PIX
domain-name gainesml.lcl
clock timezone EDT -4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit icmp any any
access-list outbound permit ip host 10.0.0.202 any
access-list outbound permit ip host 10.0.0.203 any
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq 8080
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq ftp-data
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq telnet
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq 3389
access-list outbound permit tcp any any eq domain
access-list outbound permit udp any any eq ntp
access-list outbound permit udp any any eq domain
access-list outbound deny ip any any
access-list nonat permit ip 10.0.0.0 255.0.0.0 172.27.1.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 172.28.1.0 255.255.255.0
access-list inbound deny ip 10.0.0.0 255.0.0.0 any
access-list inbound deny ip 172.16.0.0 255.240.0.0 any
access-list inbound deny ip 192.168.0.0 255.255.0.0 any
access-list inbound deny ip 127.0.0.0 255.0.0.0 any
access-list inbound deny ip 224.0.0.0 224.0.0.0 any
access-list inbound deny icmp any any redirect
access-list inbound permit icmp any any
access-list inbound permit ip host xx.xxx.60.18 any
access-list inbound permit tcp any host xx.xxx.60.22 eq telnet
access-list inbound permit tcp any host xx.xxx.60.22 eq www
access-list inbound permit tcp any host xx.xxx.60.22 eq ftp
access-list inbound permit tcp any host xx.xxx.60.22 eq ftp-data
access-list inbound permit tcp any host xx.xxx.60.22 eq 27000
access-list inbound permit tcp any host xx.xxx.60.22 eq 2001
access-list inbound permit tcp any host xx.xxx.60.22 eq pcanywhere-data log 4
access-list inbound permit tcp any host xx.xxx.60.22 eq 5632
access-list inbound permit tcp any host xx.xxx.60.22 eq 8470
access-list inbound permit tcp any host xx.xxx.60.22 eq 8471
access-list inbound permit tcp any host xx.xxx.60.22 eq 8476
access-list inbound permit udp any host xx.xxx.60.22 eq domain
access-list inbound permit tcp any host xx.xxx.60.22 eq domain
access-list inbound deny ip any any
access-list 110 permit ip 10.0.0.0 255.0.0.0 172.27.1.0 255.255.255.0
pager lines 22
logging on
logging trap warnings
logging host inside 10.0.0.203
no logging message 106023
no logging message 400015
no logging message 400013
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.60.21 255.255.255.128
ip address inside 10.0.0.1 255.0.0.0
ip audit name attack1 attack action alarm
ip audit name info1 info action alarm
ip audit interface outside info1
ip audit interface outside attack1
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.0.0.240-10.0.0.254
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.0.0.9 xx.xxx.60.22 255.255.255.255
static (inside,outside) tcp xx.xxx.60.22 pcanywhere-data 10.0.0.8 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 5632 10.0.0.8 5632 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 ftp 10.0.0.9 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 telnet 10.0.0.9 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 2001 10.0.0.9 2001 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 27000 10.0.0.9 27000 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 3389 10.0.0.203 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 ftp-data 10.0.0.9 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 8470 10.0.0.9 8470 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 8471 10.0.0.9 8471 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 8476 10.0.0.9 8476 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 domain 10.0.0.202 domain netmask 255.255.255.255 0 0
static (inside,outside) udp xx.xxx.60.22 domain 10.0.0.202 domain netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.60.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.0.203 tftp
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set gmlset esp-des esp-md5-hmac
crypto dynamic-map gaines 10 set transform-set gmlset
crypto map gmlpix 10 ipsec-isakmp dynamic gaines
crypto map gmlpix interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp log 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
vpngroup marr idle-time 1800
telnet 10.0.0.0 255.0.0.0 inside
telnet 172.27.1.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname GML-PIX
domain-name gainesml.lcl
clock timezone EDT -4
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit icmp any any
access-list outbound permit ip host 10.0.0.202 any
access-list outbound permit ip host 10.0.0.203 any
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any eq 8080
access-list outbound permit tcp any any eq ftp
access-list outbound permit tcp any any eq ftp-data
access-list outbound permit tcp any any eq pop3
access-list outbound permit tcp any any eq telnet
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp any any eq https
access-list outbound permit tcp any any eq 3389
access-list outbound permit tcp any any eq domain
access-list outbound permit udp any any eq ntp
access-list outbound permit udp any any eq domain
access-list outbound deny ip any any
access-list nonat permit ip 10.0.0.0 255.0.0.0 172.27.1.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 172.28.1.0 255.255.255.0
access-list inbound deny ip 10.0.0.0 255.0.0.0 any
access-list inbound deny ip 172.16.0.0 255.240.0.0 any
access-list inbound deny ip 192.168.0.0 255.255.0.0 any
access-list inbound deny ip 127.0.0.0 255.0.0.0 any
access-list inbound deny ip 224.0.0.0 224.0.0.0 any
access-list inbound deny icmp any any redirect
access-list inbound permit icmp any any
access-list inbound permit ip host xx.xxx.60.18 any
access-list inbound permit tcp any host xx.xxx.60.22 eq telnet
access-list inbound permit tcp any host xx.xxx.60.22 eq www
access-list inbound permit tcp any host xx.xxx.60.22 eq ftp
access-list inbound permit tcp any host xx.xxx.60.22 eq ftp-data
access-list inbound permit tcp any host xx.xxx.60.22 eq 27000
access-list inbound permit tcp any host xx.xxx.60.22 eq 2001
access-list inbound permit tcp any host xx.xxx.60.22 eq pcanywhere-data log 4
access-list inbound permit tcp any host xx.xxx.60.22 eq 5632
access-list inbound permit tcp any host xx.xxx.60.22 eq 8470
access-list inbound permit tcp any host xx.xxx.60.22 eq 8471
access-list inbound permit tcp any host xx.xxx.60.22 eq 8476
access-list inbound permit udp any host xx.xxx.60.22 eq domain
access-list inbound permit tcp any host xx.xxx.60.22 eq domain
access-list inbound deny ip any any
access-list 110 permit ip 10.0.0.0 255.0.0.0 172.27.1.0 255.255.255.0
pager lines 22
logging on
logging trap warnings
logging host inside 10.0.0.203
no logging message 106023
no logging message 400015
no logging message 400013
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xx.xxx.60.21 255.255.255.128
ip address inside 10.0.0.1 255.0.0.0
ip audit name attack1 attack action alarm
ip audit name info1 info action alarm
ip audit interface outside info1
ip audit interface outside attack1
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 10.0.0.240-10.0.0.254
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 10.0.0.9 xx.xxx.60.22 255.255.255.255
static (inside,outside) tcp xx.xxx.60.22 pcanywhere-data 10.0.0.8 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 5632 10.0.0.8 5632 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 ftp 10.0.0.9 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 telnet 10.0.0.9 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 2001 10.0.0.9 2001 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 27000 10.0.0.9 27000 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 3389 10.0.0.203 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 ftp-data 10.0.0.9 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 8470 10.0.0.9 8470 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 8471 10.0.0.9 8471 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 8476 10.0.0.9 8476 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xxx.60.22 domain 10.0.0.202 domain netmask 255.255.255.255 0 0
static (inside,outside) udp xx.xxx.60.22 domain 10.0.0.202 domain netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 xx.xxx.60.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.5.41.41 source outside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.0.0.203 tftp
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set gmlset esp-des esp-md5-hmac
crypto dynamic-map gaines 10 set transform-set gmlset
crypto map gmlpix 10 ipsec-isakmp dynamic gaines
crypto map gmlpix interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp log 100
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
vpngroup marr idle-time 1800
telnet 10.0.0.0 255.0.0.0 inside
telnet 172.27.1.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:
- Status
Similar threads
- Locked
- Question
- Locked
- Question