Re: Firewall PAT address confusion

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sat Oct 06 2007 - 23:11:28 ART

• Next message: kian_wah@aces-star-tech.com: "Re: Re: Voice Lab training & rack rentals"
• Previous message: slevin kremera: "filtering vines protocol"
• Maybe in reply to: Jian Gu: "Firewall PAT address confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jian by default firewalls Proxy-Arp for all global addresses, for example
the Cisco ASA/PIX config guide reads:

" The security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. If you
use OSPF, and you advertise routes on the mapped interface, then the
security appliance advertises the mapped addresses. If the mapped interface
is passive (not advertising routes) or you are using static routing, then
you need to add a static route on the upstream router that sends traffic
destined for the mapped addresses to the security appliance."

WIth ASA/PIX you could disable this in specific situations with 'sysopt
noproxyarp <interface>' command

HTH

Farrukh

On 10/7/07, Jian Gu <guxiaojian@gmail.com> wrote:
>
> Hi, all,
>
> I have a firewall with its outside interface connecting to Internet,
> assuming that I am getting a 10.10.10.0/24 address space from my ISP, PIX
> outside interface IP address is 10.10.10.1, when PATing, I can understand
> that if inside addresses are PATed to outside interface address, but my
> confusion comes when internal addresses can also be PATed to any other
> address, say, I PAT all internal address to 10.10.10.2.
>
> Here is my question: when traffic returns from ISP router, ISP router will
> see 10.10.10.2 as directly connected host, and will try to ARP for this
> IP,
> but this IP is not configured on any physical interface, how would ISP
> router know that traffic should send to PIX outside interface? PIX should
> not proxy-ARP because the destination is NOT on different subnet on this
> PIX, and PIX should not respond to ARP request with its own MAC, because
> there could be any real IP in 10.10.10.0/24 network.
>
> Could it be that PIX respond to ARP requests for the PAT address only,
> with
> its own outside interface MAC?
>
> Thanks,
> Jian
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: kian_wah@aces-star-tech.com: "Re: Re: Voice Lab training & rack rentals"
• Previous message: slevin kremera: "filtering vines protocol"
• Maybe in reply to: Jian Gu: "Firewall PAT address confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Nov 16 2007 - 13:11:12 ART