Connectivity lost in the dmz (pix) and answer arp

Good afternoon. I have the pix 515e with 6 interfaces.

PIX firewall-firewall # sh ver

Cisco PIX Firewall Version 6.3 (3)

Cisco PIX Device Manager Version 3.0 (1)

Updated Thursday, August 13 03 13:55 by Manu

Material: PIX-515E, 64 MB RAM, Pentium II 433 MHz processor

Flash E28F128J3 @ 0 x 300, 16 MB

BIOS Flash AM29F400B @ 0xfffd8000, 32 KB

The computers placed in the demilitarized zone, sometimes lose the connection with the other. Found a following problem: to arp request sent by a computer, it receives the response and the necessary computer and pix.

IP address on the interface of the pix (dmz) - 172.21.35.1

Test connectivity to the computer with the IP 172.21.35.5 to clear the arp table:

ping 172.21.35.4

Ping 172.21.35.4 with 32 bytes of data:

Reply from 172.21.35.4: bytes = 32 time<1ms ttl="">

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 172.21.35.4:

Packets: Sent = 4, received = 1, Lost = 3 (75% loss),

After ping:

> arp - a

Interface: 172.21.35.5 - 0 x 10003

Internet address physical address type

172.21.35.1 00-0d-88-ef-23-29 Dynamics

172.21.35.2 00-0d-60-ec-85-32 Dynamics

172.21.35.4 00-0d-88-ef-23-29 Dynamics

very strange: address Macs.1 same et.4

Ethereal, running on the same computer:

N ° time Source Destination Protocol Info

1 0.000000 172.21.35.4 broadcast ARP which has 172.21.35.1? Say 172.21.35.4

Image 1 (106 bytes on wire, 106 captured bytes)

Ethernet II, Src: 172.21.35.4 (00:11:25:57:f9:2 c), Dst: Broadcast (ff: ff: ff: ff: ff: ff)

Address Resolution Protocol (request)

N ° time Source Destination Protocol Info

2 1.381832 172.21.35.2 172.21.35.5 ARP, who has 172.21.35.5? Say 172.21.35.2

Frame 2 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: 172.21.35.2 (00: 0d: 60:ec:85:32), Dst: 172.21.35.5 (00:11:25:a8:75:7e)

Address Resolution Protocol (request)

N ° time Source Destination Protocol Info

3 1.381842 172.21.35.5 172.21.35.2 ARP 172.21.35.5 is to 00:11:25:a8:75:7e

Frame 3 (42 bytes on wire, 42 captured bytes)

Ethernet II, Src: 172.21.35.5 (00:11:25:a8:75:7e), Dst: 172.21.35.2 (00: 0d: 60:ec:85:32)

Address Resolution Protocol (reply)

N ° time Source Destination Protocol Info

4 2.754731 172.21.35.5 broadcast ARP which has 172.21.35.4? Say 172.21.35.5

Frame 4 (42 bytes on wire, 42 captured bytes)

Ethernet II, Src: 172.21.35.5 (00:11:25:a8:75:7e), Dst: Broadcast (ff: ff: ff: ff: ff: ff)

Address Resolution Protocol (request)

N ° time Source Destination Protocol Info

5 2.754839 172.21.35.4 172.21.35.5 ARP 172.21.35.4 is to 00:11:25:57:f9:2 c

Frame 5 (106 bytes on wire, 106 captured bytes)

Ethernet II, Src: 172.21.35.4 (00:11:25:57:f9:2 c), Dst: 172.21.35.5 (00:11:25:a8:75:7e)

Address Resolution Protocol (reply)

N ° time Source Destination Protocol Info

6 2.754968 172.21.35.1 172.21.35.5 ARP 172.21.35.4 is at 00: 0d: 88:ef:23:29

Image 6 (60 bytes on wire, 60 bytes captured)

Ethernet II, Src: 172.21.35.1 (00: 0d: 88:ef:23:29), Dst: 172.21.35.5 (00:11:25:a8:75:7e)

Address Resolution Protocol (reply)

on the pix

#debug arp

782: arp-in: application to the demilitarized zone of 172.21.35.4 0011.2557.f92c for 172.21.35.1 0000.0000.0000

783: arp - set: arp added dmz 172.21.35.4 0011.2557.f92c

784: arp-in: generate the response of 172.21.35.1 000d.88ef.2329 to 172.21.35.4 0011.2557.f92c

793: arp-in: application to the demilitarized zone of 172.21.35.5 0011.25a8.757e for 172.21.35.4 0000.0000.0000

794: arp - set: arp added dmz 172.21.35.5 0011.25a8.757e

795: arp-in: generate the response of 172.21.35.4 000d.88ef.2329 to 172.21.35.5 0011.25a8.757e

Why pix sends the response to the arp request?

Hello

Maybe it's because proxy ARP on the pix. You can try disabling this interface with the command "sysopt noproxyarp.

Tags: Cisco Security

Similar Questions

  • I lost all the photos, files and programs, can someone help me please?

    I did a system restore (I think) and lost all the photos, files and programs.  Can someone tell me please how do I get back them?

    Lillie

    Looks like your user profile has been corrupted in some way and XP connected to a new profile.  This means that when you connect, you see one of your stuff and can be also lack all the other programs you may have installed previously.

    Note that the system restore do not know or care about the personal files on your system.

    Unless there's a disaster or instead of a system restore you done a system recovery files would be still on your system somewhere - you just find them... and when you find them, you can correct what happened.  If you have made a recovery of the system instead of a system restore, then all is lost and you need to recover from a backup.

    Have you performed a search of Windows to see if you can find some of these photos and files?    For example, you could search for something like "Resume.doc" or a file name that you remember exactly to see if it is anywhere on your system and where it is.

    Why don't you get in Windows Explorer and (assuming that XP is installed on your C drive), navigate to this folder:

    C:\Documents and Settings

    Below, you will see that each user on your system has their own folder for their personal belongings.  You will see also some folders listed user that you do not recognize, but that's normal.

    Under the folder of each user, there is another folder, as "Documents of Jose" and under this 'Jose music' and «De Jose Pictures»  Dig a little and check them all to see if you can find your missing stuff.

    Just take a look in the Control Panel, add/remove programs to see if "missing" programs are still installed, but all not available when you are logged in (you don't have to 'do' something - just look at).

    Assuming that you can find your missing stuff, determine where we (which will make feel you better knowing that it is not really gone), then report back and someone can help you straighten things.

  • http connection goes through the WAP gateway and not through BIS/BES

    How can I check that an http application connection passes by the WAP gateway and no BIS/BES.

    I do not have the source code of the application and need to build my own app to connect http connection made by the unit.

    I only have the jad file.

    Thank you very much for the help.

    at this point the man, you must understand a few things on your own.  Get the cod, and put the cod in the same folder as the Simulator, they will then work in the sim card.  Or you can browse to a deployment for application with the sim ota and download the cod in this way.

  • where are the challenge questions and answers stored in OAM?

    Hello

    OAM 10g, where the challenge questions and answers are stored?

    What is the best way to migrate the OAM 10 g challenge questions and answers in OIM 11 g?  Is it recommended to migrate or users request to reset the challenge questions and answers in OIM 11 g?

    Thank you

    Khanh

    Hello

    As a best practice after the migration of 10g OAM, you can force the user to set the questions and answers of security. The chances of error will be zero in this case.

    Also in the years/qus secuirty IOM are stored in table PCQ in encrypted form.

    ~ J

  • Muse is ridiculed among web developers.  all the forum questions and answers you can point me to further explore the question/answer away?

    Muse is ridiculed among web developers.  all the forum questions and answers you can point me to further explore the question/answer away?

    Try it for yourself and decide!

  • I set up Windows 7 to use fingerprint or password to logon. How can I get rid of the fingerprint logon and back by connecting with just the user names and passwords?

    I have configured Windows 7 to use the fingerprint or password login screen. I can't footprint material and do not want to use, but can not find where you reconfigure to return by connecting with just user profile names and passwords.

    Hello

    Welcome to the Microsoft Vista answers Forum!

    You can try the steps below and check if the problem is resolved.

    1. click on start.

    2. click on Control Panel.

    3. click on hardware and sound.

    4. now click biometric devices.

    5. now click on biometric parameters.

    6. now you should check biometrics off the coast of the option button.

    7. click on save changes.

    8. click on close.

    Now search for the question.

    Learn more about the biometric device, you can visit the link provided below.

    http://TechNet.Microsoft.com/en-us/library/dd759228.aspx

    Thank you, and in what concerns:

    I. Suresh Kumar-Microsoft Support.

    Visit our Microsoft answers feedback Forumand let us know what you think.

  • is ASA test - safe to connect it to the DMZ?

    I have a new ASA and Setup, it would be so much easier if she had an internet connection.

    If I hang my DMZ using a real IP not used for the external interface and connect a PC inside interface, can it work or should I expect to break my internet connection?

    (my routers from Verizon and my current firewall to connect to a switch 8 port as a spare for the ASA port)

    If the ASA has a public IP address, Yes.

    Please rate if this helped.

    Kind regards

    Daniel

  • How to change the secret question and answer if I've forgotten my email of rescue?, how change the security question and answer and if I've forgotten my rescue by email?

    How to change the secret question and the answer if I've forgotten my email to rescue?

    You have to ask Apple to reset your security questions. To do this, click here and choose a method; If this page does not list one for your country or if you are unable to call, complete and submit this form.


    (137073)

  • Can connect to with the bad IP and the subnet RVS4000

    Hello

    I'm relatively new to networking so that post in the forums, please be gentle. I have a strange problem. I tried to update our switch of production over the weekend with a new Gigabit switch. Everything was going well after the change and the network has been a significant change in speed.

    But when I came back Internet was down on Monday. So I tried the switch troubleshooting to see if there was a loop or something like that and put in managed mode so I could watch the config page and enjoy the function STP. When you try to access the config page I entered the default IP address in my browser and a connection appear so I tried to connect and she didn't then I noticed that the title of the tab navigator says RVS4000. So out of curiosity I put the creds for the router and here let me the router.

    The router has a static IP address and use a different subnet, then the default IP to 192.168.2.1 with switch. I put the old switch and removed a new production, but can still get to the router with IP, it is the static address and address 2.1.

    This before everyone knows or knows what I could possibly hurt? The fool is now the switch is made of bricks. I have a new future, but have need solve this problem until I put it into production.

    Thanks for any help, sorry for the novel.

    Hi Chris, it is possible that someone has set up a VLAN on the router. All ip addresses VLANS are IP management for the unit. You can check the L2 switch of the device tab and this is not the case. You can also verify that the vlan 1 router is that you are pregnant.

    -Tom
    Please evaluate the useful messages

  • I can't answer or forward any what mail - I get the silly riddles and answer them - and it still won't let me send.

    There any PC. I use the result is that I can not function in Hotmail.

    Hello

    I'm sorry, but we cannot help with hotmail problems in these forums in response to vista

    Please repost your question in hotmail in the hotmail link below forums

    http://windowslivehelp.com/product.aspx?ProductID=1

    Forums
     
     

  • My Firefox has lost all the standard tabs and search is no longer using Google?

    Today, my former excellent Firefox all lost it's memory. My standard tabs in the top bar are all gone. He constantly only to search in Yahoo, I hate. I want to like it was yesterday. I want that all my tabs back and I want it to look using Google. I tried to set up an account and Sync, but anything doesn't work as it keeps going back to a new start empty without tabs and Yahoo search.

    Look at your desktop. You see a folder called; Old Firefox?

    https://support.Mozilla.org/en-us/KB/recovering-important-data-from-an-old-profile

    https://support.Mozilla.org/en-us/KB/back-and-restore-information-Firefox-profiles

  • WIFI connection lost with the Satellite A100-407

    Hello!
    I'm having a nightmare and would appreciate help!
    I have a laptop Toshiba Satellite A100-407, and I've been able to connect to internet via WIFI, however, in the last two weeks, he has ceased to operate.

    When I press Fn F8 it says my WIFI is off, but I don't know how this happened, nor I know how to reactivate it!

    To make matters worse my laptop is in German, and my grip on the German language is not that great at the moment, so if someone can help reactivate me my WLAN with indications of how do (IE. Go to the start bar, up 3, click on, cross 2 etc etc) I would be very grateful

    I'm sick of sitting on the ground to go online!

    Please check if the wireless network adapter is correctly enabled. Check first small WLAN switch if I remember well he must be placed on the right side of the laptop. When the WLAN led is activated, use the key combination FN + F8 to activate the WLAN option.

  • Data connection lost until the traction battery on

    I'm working on a program with the http call, we sometimes find that the device loses the data until the reset the battery connection. This happens only once in several days, but it happens again and again. This only happens on 8830 and 8330, it never happened on 9530 or other newer devices. It looks like so there is a question about the RIM OS.

    My question is, do we have any solution to work around him. (someone said that we should avoid parallel http calls, is it true?)

    I did a search on the forum, I found that some thread also referred to same issue:

    http://supportforums.BlackBerry.com/Rim/Board/message?board.ID=8300&message.ID=37249&query.ID=608157...

    It's happened a lot with me on 8830. I can reproduce the problem whenever I want. If I have several successive http requests by using a direct TCP connection the problem happens. I also noticed that it happens on 8830 with OS 4.2.x. He can't get on 9530. My explanation of what it could be a bug somewhere in the old version of the OS.

    My job is to use MDS all the time. That seems to fix the problem. But the connection still from time to time expires. (better than to take out the battery).

    Rab

  • VPN connectivity lost after the regeneration of the keys (I think)

    Hello

    I have a L2L IPSEC tunnel between a set of failover pair of two ASA5510 and a unique ASA5505. Over time, they will lose connectivity through the tunnel. The tunnel itself remains standing, but can not pass any traffic.

    When you look at the tunnel I still see what is on the Board of 5510's (shown in bold @ IPSEC ID 3):

    advdns # sh vpn-sessiondb detail l2l filter ipaddress 93.160.2xx.1xx

    Session type: LAN-to-LAN detailed

    Link: 93.160.2xx.1xx
    Index: 14 IP Addr: K015-Peer
    Protocol: IPSecLAN2LAN encryption: 3DES
    Hash: SHA1
    TX Bytes: bytes 430820527 Rx: 9869311
    Connect time: 01:16:13 CEDT Monday, March 28, 2011
    Duration: 7 h: 46 m: 47 s
    Filter name: K015-L2L-filter

    IKE Sessions: 1
    IPSec sessions: 2

    IKE:
    Session ID: 1
    The UDP Src Port: 500 UDP Dst Port: 500
    IKE Neg Mode: Hand Auth Mode: preSharedKeys
    Encryption: 3DES hash: SHA1
    Generate a new key Int (T): 86400 seconds given to the key Left (T): 58390 seconds
    Group D/H: 2

    IPSec:
    Session ID: 2
    Local addr: HOST_RDC001/255.255.255.255/0/0
    Remote addr: 192.168.15.0/255.255.255.0/0/0
    Encryption: 3DES hash: SHA1
    Encapsulation: Tunnel
    Generate a new key Int (T): 28800 seconds given to the key Left (T): 25270 seconds
    Generate a new key Int (D): 413696 K-bytes given to the key Left (D): 413688 K-bytes
    TX Bytes: 24387 bytes Rx: 12754
    TX pkts: Rx 195 Pkts: 195

    IPSec:
    Session ID: 3
    Local addr: 10.30.15.0/255.255.255.0/0/0
    Remote addr: 192.168.15.0/255.255.255.0/0/0
    Encryption: 3DES hash: SHA1
    Encapsulation: Tunnel
    Generate a new key Int (T): 28800 seconds given to the key Left (T): 25715 seconds
    Generate a new key Int (D): 413696 K - bytes given to the key Left (D): 1 K-bytes
    TX Bytes: bytes 430796140 Rx: 9856557
    TX pkts: 385454 Pkts Rx: 207904

    This is the result of the order even at the end of the tunnel ASA5505:

    PFF # sh vpn-sessiondb detail l2l

    Session type: LAN-to-LAN detailed

    Link: 83.136.xx.xxx
    Index: 1 IP address: 83.136.xx.xxx
    Protocol: IPSecLAN2LAN encryption: 3DES
    Hash: SHA1
    TX Bytes: bytes 9869359 Rx: 430815282
    Connect time: 14:00:28 UTC Sunday, March 27, 2011
    Duration: 7 h: 47 m: 00s
    Name of the filter:

    IKE Sessions: 1
    IPSec sessions: 2

    IKE:
    Session ID: 1
    The UDP Src Port: 500 UDP Dst Port: 500
    IKE Neg Mode: Hand Auth Mode: preSharedKeys
    Encryption: 3DES hash: SHA1
    Generate a new key Int (T): 86400 seconds given to the key Left (T): 58381 seconds
    Group D/H: 2

    IPSec:
    Session ID: 2
    Local addr: 192.168.15.0/255.255.255.0/0/0
    Remote addr: 10.1.11.1/255.255.255.255/0/0
    Encryption: 3DES hash: SHA1
    Encapsulation: Tunnel
    Generate a new key Int (T): 28800 seconds given to the key Left (T): 25256 seconds
    Generate a new key Int (D): 4275000 K-bytes given to the key Left (D): 4274992 K-bytes
    Idle Time Out: 30 Minutes idling left: 29 Minutes
    TX Bytes: 12754 bytes Rx: 24387
    TX pkts: Rx 195 Pkts: 195

    IPSec:
    Session ID: 3
    Local addr: 192.168.15.0/255.255.255.0/0/0
    Remote addr: 10.30.15.0/255.255.255.0/0/0
    Encryption: 3DES hash: SHA1
    Encapsulation: Tunnel
    Generate a new key Int (T): 28800 seconds given to the key Left (T): 25701 seconds
    Generate a new key Int (D): 4275000 K-bytes given to the key Left (D): 3861311 K-bytes
    Idle Time Out: 30 Minutes idling left: 30 Minutes
    TX Bytes: bytes 9856605 Rx: 430790895
    TX pkts: 207905 Pkts Rx: 385265

    On the ASA5505 I can see the following in the log:

    March 27, 2011 21:21:17: % ASA-4-402120: IPSEC: received a package ESP (SPI = 0xBB2A21CF, sequence number = 0x1BB08) 83.136.xx.xxx (user = 83.136.xx.xxx) at 93.160.2xx.1xx, which has no authentication.
    March 27, 2011 21:26:12: % ASA-4-402120: IPSEC: received a package ESP (SPI = 0xBB2A21CF, sequence number = 0x2EF6E) 83.136.xx.xxx (user = 83.136.xx.xxx) at 93.160.2xx.1xx, which has no authentication.

    It has done this 4 - 5 times now, so I don't think it's a temporary problem. The ASA5505 has been restarted several times... 5510 failover restart is not an option. The 5510 holds currently more than 50 IPSEC tunnels, and it is the only features like this.

    If I make one counterpart of his clear cry ips 'The 5505 IP', then the tunnel's functional again.

    The SW version is:

    5510: 7.2. (4) 9

    5505: 7.2. (4)

    This is the setup I use for the tunnel:

    5510:

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    address for correspondence card crypto outside_map 15 K015-L2L-list
    outside_map 15 peer Peer-K015 crypto card game
    card crypto outside_map 15 game of transformation-ESP-3DES-SHA
    life safety association set card crypto outside_map 15 28800 seconds
    card crypto outside_map 15 set security-association life kilobytes 4608000
    outside_map interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    5505:

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    card crypto VPNMAP 10 corresponds to the address Hosting_List
    card crypto VPNMAP 10 set peer 83.136.xx.xxx
    10 VPNMAP transform-set ESP-3DES-SHA crypto card game
    VPNMAP interface card crypto outside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400

    Anyone of you you have any good ideas?

    Best regards

    Jesper Ross

    I just checked and there are a number of bugs to generate a new key, ASA version 7.2.4 Please kindly pass the two ASA at least version 7.2.5.

    Here are the bugs for your reference:

    CSCtc47782 Invalid IKE traffic causes to generate a new key to fail:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc47782

    CSCso87442  ASA displays smaller traffic-volume lifetime than negotiated:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCso87442
    

    CSCsq67954 ASA rekeys at less traffic volume than expected value:
    
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq67954
    

    Prior to upgrade, you can just remove the following and see if it makes any difference:
    
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
    
crypto map outside_map 15 set security-association lifetime kilobytes 4608000
    

    Clear tunnels on both end, and monitor to see if you are seeing the same issue.

  • I lost all the sound elements and more...

    Say hello to Steve and all.

    Just at the moment where everything was fine, something fatal happened. I use a mixture of files MOD (Panasonic cameras) and AVI (mini camera Cannon Digital Video) files and everything went well with the Assembly until yesterday.

    The problem is that the program (first Elements 7) thinks that my media is online, but is not offline. When I try to connect again, the option "Find media" gives the following error: "the selected file cannot be bound because its type (video) does not match the type of original (audio and video) file."

    I can't go there.

    When I try to play the other MOD files in my library, I have no sound. When I try to play the MOD file with another program, everything works fine.

    Now I'm stuck. I can't get the first Elements 7 to recognize one of my MOD files. It worked for months, but this has me at a dead stop.

    Last night, I ran the disk Setup Repair Option and program started working again - but it was time for bed, then I stopped for the night. Tonight, the problem is back and can not be repaired.

    I'm stuck in a big way. My deadline for a video of the party is Christmas, but I can't go forward.

    Please help me. I don't know how to solve this problem.

    Sincerely,.

    Brian

    The problem started at halfway through the process of editing last night. No Windows Update has been installed.

    If you have the entire window full automatic update (default), there are to many OS updates that will download and install, and the user never know thereon, unless they require a reboot. Many do not. I downloaded just manually full updates of Office, as well as four new patches for XP - Pro, and none has required a reboot. Unless you changed the default, these things can download and installed without the user knowing never.

    But back to my hypothesis. This could be a corrupted file? If so, how can I determine the guilty file?

    Glad to hear that things are working for you now. That would be when I would do a Save_As and a Save_As_a_Copy, just in case. This ARTICLE will give you some details on the differences between the three flavors of Save, as well as some information about what constitutes one. File PREL.

    The only way to get a bad would be systematically eliminate assets, test along the way.

    What is the link for your outside? USB external references have been known to have serious problems of read/write. I look in my event viewer and look for warning messages or no error. Look especially closely in links in everything from errors of pilot, nor delayed write errors. That link is to the external USB.

    I have not met, nor have I read of these issues with FW, 400 or 800.

    Good luck and we hope that the project will be completed in due time!

    Hunt

Maybe you are looking for