Re: Ip aliasing error?

On Fri, Apr 08, 2005 at 01:21:36PM +0200, Carlos wrote:
> Hello List:
>  Sorry my English. I have a firewall with a debian Woody installed
> with a kernel 2.4.29.  This it connected to internet trought  HDSL
> line  with a  Cisco router  1721 , bridge mode. Has configured 5
> public ips by ip aliasing. The firewall works correctly although
> before  4 or 5 days one of the ips they configured is not accessible
> from internet. Since inside of the network  responds correctly.  If
> ifdown and ifup  the interface  does not fix anything.  If I configure
> some host inside of the network with that Ip, is accessible from
> Internet. Finally if I powerOff the router and powerOn again, all
> correctly. Any suggestion?

It might be an ARP problem. Cisco ships its routers with a ARP cache ttl
of 4 hours. 

So, if I understand correctly You have the following setup:

Internet Line -------- Cisco Bridge  --------- FW with 5 interfaces

Now, if any address on the FW that is known to the bridge is connected
to other hardware than before, the Cisco will not pickup the change
until the ARP cache is cleared.

On the cisco, check the arp settings:

sh arp -- check coupling between ip and hw addresses with your FW.

You can also change the arp cache timeout to a more sane value.


