From: Jian Gu (guxiaojian@gmail.com)
Date: Sat Oct 06 2007 - 20:18:58 ART
Hi, all,
I have a firewall with its outside interface connecting to Internet,
assuming that I am getting a 10.10.10.0/24 address space from my ISP, PIX
outside interface IP address is 10.10.10.1, when PATing, I can understand
that if inside addresses are PATed to outside interface address, but my
confusion comes when internal addresses can also be PATed to any other
address, say, I PAT all internal address to 10.10.10.2.
Here is my question: when traffic returns from ISP router, ISP router will
see 10.10.10.2 as directly connected host, and will try to ARP for this IP,
but this IP is not configured on any physical interface, how would ISP
router know that traffic should send to PIX outside interface? PIX should
not proxy-ARP because the destination is NOT on different subnet on this
PIX, and PIX should not respond to ARP request with its own MAC, because
there could be any real IP in 10.10.10.0/24 network.
Could it be that PIX respond to ARP requests for the PAT address only, with
its own outside interface MAC?
Thanks,
Jian
This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART