Snooping traffic between zones?

Hi fellow admins,
is there any supported method to snoop network traffic that's going on between two zones on the same machine?
I've tried the usual way with filtering for the IPs of both zones, but I see nothing.
My assumption goes that this comes from both zones running on two virtual instances of the same physical network interface,
and thus the traffic is handled internally, while snoop only sees traffic that actually goes out on the wires.
Any way to resolve this without splitting the zones over two servers?

I think that you would have to snoop the loopback interface in order to do this, unfortunately snooping of a loopback interface has so far only been implemented in Solaris Express..
.7/M.

Similar Messages

Network traffic between zones in the same Global zone

Hi,
I would like to know if the traffic between different zones that shares the same nic within the global zone goes to the switch they are are connected to and comes back, or remains within the global zone?
Example:
Local zone apache IP 10.0.0.2
Local zone oracle IP 10.0.0.3
Global zone IP 10.0.0.4
When Local zone apache contact Local zone oracle does the traffic go to the switch and then to Local zone oracle or just remains internal the Global zone?
Regards,
Younis

s-wilson wrote:
If the zone is on a different subnet from the global, the traffic would have to be routed back.That's not correct. As long as it is a shared-ip zone, traffic does not leave the box.
This is no different that a single-zone host that has interfaces on two subnets.
Darren

Multicast between zones in Solaris 10 3/05

Hi
We have a Solaris 10 3/05 installation, with different zones. We have written a pair of test programs to test multicast traffic between zones: one of them joins a given IP/port, and the other sends datagrams with dummy text to a given IP/port. We want to ensure multicast traffic between zones using 239.255.2.3, port 6155/6156 works seamlessly.
We started trying that IP between different machines (with no zones, or between global zones in different machines), and it worked. Then we tried between a non-global zone and the global zone of the same machine, and it worked. But then we tried between different zones in the same machine, and it didn't worked: datagrams are not reaching other zones but the global one.
�Any ideas about this? Using 239.255.2.3 is a must, and being a valid multicast IP, it should work out-of-the-box. All zones have an exclusive IP, and are in the same subnet (also the global zone).
Edited by: E.Corral on Aug 22, 2008 5:49 AM

The zones stuff is tightly integrated with much of the other OS infrastructure eg kernel, libraries etc.
Its not possible to upgrade just the zones stuff by installing packages.
You could upgrade the zones stuff by applying patches, but it will drag a lot of other stuff in as preqrequisites.
Just installing a recommended patch set should accomplish this.
But it may be simpler to just upgrade to 5/08 and be done with it. Liveupgade or upgrade install should work.

How to snoop traffic on PGW 2200 with Wireshark

How to snoop traffic between PGW 2200 & MGX 8880 with Wireshark?

I hope to have understood correctly your question.
1) enable the snoop on PGW using ./snoop_scrip in /opt/snoop/ path
2) collect the trace of the call and so stop the snoop usinf CTRL C
3) open wireshark
4) drag and drop the files generated from the snoop in wireshark
5) wireshark will ask to merge the file
P.S. PGW uses RUDP to communicate with the media gateway. Set the wireshark RUDP port (in Edit - Preferences - Protocols menu) according to PGW configuration.
Regards.

Capture http traffic between server and proxy

Hi,
I am not a solaris admin so I need some help to capture http traffic between proxy and server.
I used 'snoop port 80' on my proxy server but this command gives me the traffic between client and proxy.
PS: i do not have access to remote server.
Thanks
Linda

You probably need this instead:
snoop host server
where server is the hostname of the server that you are trying to connect to.
If you have multiple interfaces, you have to be sure you are snooping on the right interface.

ASA5505 - Blocking internal traffic between 2 servers

Hi guys/ladies
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2
Oct 27 2012
14:51:05
106007
10.50.15.6
55978
DNS
Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

Result of the command: "show cap asp | include 10.50.15.6"
15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163
16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389: udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53: udp 86
27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137: udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138: udp 237
29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138: udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53: udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53: udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule

Traffic Between 2 Ports on Different VLANs on the Same Switch

Hi,
This question probably results from a flaw in my understanding of network layer 2 versus layer 3 and VLANs so any additional context in that regard would be very welcome
If I've got 2 systems on difference VLANs that are connected to ports on the same switch (e.g. 2950), with that switch being connected via an uplink to a router or layer 3 switch and i want to pass traffic between the 2 systems (e.g. copy a file from a folder shared on one system to another), will the traffic pass directly from one port on the 2950 to the other? Or will it need to go through the uplink? I guess it will need to go through the uplink initially as layer 3 needs to be involved for inter-VLAN routing but wondering if layer 2 MAC address will ultimately be learned, allowing traffic to pass directly between the systems, not over the uplink.
Thanks in advance,
cisco_reader.

If the hosts are on different Layer 2 Vlans and you want to pass data between them, that data needs to be 'Routed'.
In order to Route data from one Layer 2 Vlan to another, you need a device capable of Layer 3 Routing. That device can be a traditional Router or can be something called a Layer 3 switch.
A 2950 switch is Layer 2 only so has the ability to create many Layer 2 Vlans which is what you have done. In order to route traffic between those Vlans, you can either use a router or a L3 switch.
If you decided to use a router, look up something called 'Router on a Stick' which involves creating a Trunk link from the 2950 to the Router and then setting up Subinterfaces on the Routers port to act as the 'Default Gateway' for each of your Vlans.

ASA 5510 Not able to route traffic between 2 LAN interfaces

Hi everybody,
I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
Thank you,
Sigor
Here is my configuration:
ASA Version 8.2(2)
hostname Cisco
domain-name xxx.com
names
interface Ethernet0/0
description Outside
nameif Outside
security-level 0
ip address 101.101.101.101 255.255.240.0
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone EST -5
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name xxx.com
same-security-traffic permit inter-interface
object-group service Port-10000 tcp
port-object eq 10000
object-group service Port-8080 tcp
port-object eq 8080
object-group service Port-8011 tcp
port-object eq 8011
object-group service DM_INLINE_TCP_1 tcp
group-object Port-8080
port-object eq www
group-object Port-8011
object-group service DM_INLINE_TCP_2 tcp
group-object Port-10000
port-object eq https
port-object eq www
object-group service rdp tcp
port-object eq 3389
object-group service DM_INLINE_TCP_3 tcp
group-object rdp
port-object eq ftp
object-group service DM_INLINE_TCP_4 tcp
group-object Port-10000
port-object eq www
port-object eq https
port-object eq ssh
object-group service DM_INLINE_TCP_5 tcp
group-object Port-8011
group-object Port-8080
port-object eq www
object-group service DM_INLINE_TCP_6 tcp
group-object Port-10000
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
group-object rdp
port-object eq ftp
access-list Outside_access_in extended permit tcp any host 101.101.101.104 object-group DM_INLINE_TCP_5
access-list Outside_access_in extended permit tcp any host 101.101.101.102 object-group DM_INLINE_TCP_6
access-list Outside_access_in extended permit tcp any host 101.101.101.103 object-group DM_INLINE_TCP_7
access-list Outside_access_in extended permit tcp any host 101.101.101.106 eq smtp
access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Accounting 1500
mtu management 1500
ip local pool IPSecDHCP 192.168.80.100-192.168.80.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (Accounting) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 101.101.101.104 www 192.168.10.14 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8011 192.168.10.14 8011 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.104 8080 192.168.10.14 8080 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 10000 192.168.10.3 10000 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 https 192.168.10.3 https netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.102 www 192.168.10.3 www netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 ftp 192.168.10.17 ftp netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.103 3389 192.168.10.32 3389 netmask 255.255.255.255
static (Inside,Outside) tcp 101.101.101.106 smtp 192.168.10.23 smtp netmask 255.255.255.255
static (Inside,Accounting) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Accounting in interface Accounting
route Outside 0.0.0.0 0.0.0.0 101.101.101.101 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 Inside
http 20.0.1.0 255.255.255.0 Accounting
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 32608000
crypto ipsec security-association replay disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256
-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 89.216.17.35
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 20.0.1.100-20.0.1.200 Accounting
dhcpd dns 192.168.10.19 8.8.8.8 interface Accounting
dhcpd lease 306800 interface Accounting
dhcpd domain abtscs.com interface Accounting
dhcpd enable Accounting
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy CiscoIPsec internal
group-policy CiscoIPsec attributes
dns-server value 192.168.10.30 192.168.10.19
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoIPsec_splitTunnelAcl
default-domain value xxx.com
vpn-group-policy CiscoIPsec
tunnel-group 198.226.20.35 type ipsec-l2l
tunnel-group 198.226.20.35 ipsec-attributes
pre-shared-key *****
tunnel-group CiscoIPsec type remote-access
tunnel-group CiscoIPsec general-attributes
address-pool IPSecDHCP
default-group-policy CiscoIPsec
tunnel-group CiscoIPsec ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
Cryptochecksum:2a7c97a7a22397908ef83ca6f0065919
: end

Without diving too deep into your config, I noticed a couple of things:
interface Ethernet0/1
description Inside Network
nameif Inside
security-level 90
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2
description Accounting
nameif Accounting
security-level 100
ip address 20.0.1.1 255.255.255.0
On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
access-list Inside permit ip any any
access-group Inside in interface Inside
The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
HTH,
John

WCCP on ASA & traffic between physical interfaces on ASA

Hello,
I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
Eth 0/0 : Outside (to internet)
Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
Eth 0/1.211 : Vlan211 (20.21.10.0/24)
Eth 0/1.212 : Vlan212 (20.21.20.0/24)
Eth 0/1.220 : Vlan220 (20.22.0.0/16)
Eth 0/2 : WAAS (20.21.30.0/24)
I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
I get this error message:
3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
How can I fix this?
My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
wccp 61 redirect-list WCCP_To_LAN
wccp 62 redirect-list WCCP_To_WAN
wccp interface outside 62 redirect in
wccp interface LAN 61 redirect in
access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
Thanks
Ankit

common guys
Am I doing something wrong here?
No one replies to my posts. I had the same experience with the previous one.
Is this not the right forum for this query???
Ankit

How to enable traffic between VPN clients in Windows Server 2012 R2?

Hello,
I installed Remote Access role with VPN.
IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
VPN server uses Windows Authentication and Windows Accounting.
With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
For example, VPN server has ip 192.168.99.5
VPN Client 1 - 192.168.99.6
VPN Client 2 - 192.168.99.7
I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
What else should I configure to allow network traffic between VPN clients?

Hi,
To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Having issues on ASA 5510 pass traffic between interfaces

I am trying to pass traffic between two internal interfaces but am unable to. Been searching quite a bit and have tried several things to no avail. I feel like there is a simple solution here I am just not seeing. Here is the relevant portion of my config:
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/2
nameif ct-users
security-level 100
ip address 10.12.0.1 255.255.0.0
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.12.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (ct-users) 0 access-list inside_nat0_outbound
nat (ct-users) 1 0.0.0.0 0.0.0.0
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group inside_access_in in interface ct-users
access-group inside_access_ipv6_in in interface ct-users
On both networks I am able to access the internet, just not traffic between each other.
A packet-tracer reveals the following (it's hitting some weird rules on the way):
cybertron# packet-tracer input inside tcp 192.168.5.2 ssh 10.12.0.2 ssh detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab827020, priority=1, domain=permit, deny=false
hits=8628156090, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
NAT divert to egress interface ct-users
Untranslate 10.12.0.0/0 to 10.12.0.0/0 using netmask 255.255.0.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad5bec88, priority=12, domain=permit, deny=false
hits=173081, user_data=0xa8a76ac0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab829758, priority=0, domain=inspect-ip-options, deny=true
hits=146139764, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad48c860, priority=6, domain=nat-exempt-reverse, deny=false
hits=2, user_data=0xad4b5e98, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside any ct-users 10.12.0.0 255.255.0.0
NAT exempt
translate_hits = 2, untranslate_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad3b1f70, priority=6, domain=nat-exempt, deny=false
hits=2, user_data=0xad62b7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,ct-users) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
match ip inside 192.168.5.0 255.255.255.0 ct-users any
static translation to 192.168.5.0
translate_hits = 1, untranslate_hits = 15
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadf7a778, priority=5, domain=nat, deny=false
hits=6, user_data=0xad80cfd0, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) udp 184.73.2.1 1514 192.168.5.2 1514 netmask 255.255.255.255
match udp inside host 192.168.5.2 eq 1514 outside any
static translation to 184.73.2.1/1514
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8e2928, priority=5, domain=host, deny=false
hits=9276881, user_data=0xab8e1d20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.5.2, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad158dc0, priority=5, domain=nat-reverse, deny=false
hits=6, user_data=0xac0fb6b8, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.12.0.0, mask=255.255.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ct-users,inside) 10.12.0.0 10.12.0.0 netmask 255.255.0.0
match ip ct-users 10.12.0.0 255.255.0.0 inside any
static translation to 10.12.0.0
translate_hits = 0, untranslate_hits = 6
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xada0cd38, priority=5, domain=host, deny=false
hits=131, user_data=0xac0fb6b8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.12.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad5c1ab0, priority=0, domain=inspect-ip-options, deny=true
hits=130, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 189385494, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ct-users
output-status: up
output-line-status: up
Action: allow

how are you testing? if you are pinging between the subnets, make sure you have disabled windows firewall and/or any other firewall that is installed on the PCs (remember to re-enable it later).
Are the NAT commands there because you were trying different things to get this working? I suggest you use the command no nat-control instead. Depending on the version of ASA you are running it may already be disabled by default. In version 8.4 and later nat-control has been removed completely.
Please remember to select a correct answer and rate helpful posts

Encrypting traffic between Sharepoint and SQL

We have a 2013 Environment used by internal and external users. External traffic (external users accessing the extranet site) is encrypted using SSL certs. Internal traffic (internal users to the intranet site) is not encrypted which is fine. We are being
asked by some auditors to encrypt traffic between SharePoint (WFE and APP servers) to SQL backend. What options do we have and how involved each one is? On SQL backend we know we can enforce encryption.
Thanks

When you say just enforce encryption on SQL does that mean no steps to take on SharePoint to facilitate the process? Will traffic be automatically encrypted once encryption is done on SQL?
Absolutely correct! You will need to restart the SQL Server service, which will cause a brief outage for SharePoint, but you do not need to do anything for SharePoint. You'll
probably want a certificate that is trusted by the SharePoint servers. I was personally using a Microsoft Certificate Authority server which hands out certificates to machine names and also hands out root certificates to all machines on the domain
(thus a trusted issuer). I am also using a SQL alias on my SharePoint servers, so the alias/SQL machine name mismatch is not an issue.
Once the SQL Server is set to encrypted, you can use the following T-SQL statement and validate the encrypt_option is TRUE. You may also consider adding a SPN to the SQL Server Service account (MSSQLSvc protocol) to enable Kerberos connections, which are
not only faster, but significantly more secure. You can use the same T-SQL statement to see if connections are using NTLM or Kerberos.
select * from sys.dm_exec_connections
Trevor Seward
Follow or contact me at...
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Using Xserve to route traffic between LANs

A couple of years ago Camelot posted a response on how to set up an Xserve to route network traffic between the Xserve's internal NICs (http://discussions.apple.com/thread.jspa?threadID=1193839&tstart=127). In that situation, both LANs were 192.168.x.x. Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work? Addresses on the 172.16 are dished out from a Cisco PIX501 which I don't control. The Xserve has a fixed IP of 172.16.128.241 (DHCP with manual address) on en0. The 192.168 LAN is on en1 and the XServe does the DHCP for that side. NAT is on with IP forwarding. I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
Xserve is running Server 10.5.4

Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work?
You can route between any connected networks. There doesn't have to be any common elements in the IP address subnets.
I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
You say you're running NAT on this system. NAT is not needed (or, in fact, desired) since it's designed for one way traffic (e.g. traffic from LAN 1 is translated to an address in LAN2 before forwarding). To have traffic flow the other way you need to setup port forwarding, which isn't practical for a large number of machines.
My earlier suggestion doesn't suggest enabling NAT at all, just IP Forwarding. IP Forwarding should work both ways provided the relevant devices in each LAN know where to route the traffic (e.g. devices in the 192.168.x.x LAN need to have a route that sends traffic for 172.16.x.x to the 192.168.x.x address of the XServe).

Encrypting vlan-trunk traffic between switches

Hi,
Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
Thanks for any input,
Regards,
Oyvind Mathiesen
mnemonic
Norway

Hi,
Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
We also need to encrypt the datatraversing this connectivity.
MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
And that would cause me to eat into the 100 MAC limit.
Ridiculous I know, but we are looking for an out-of-the-norm plan...
Thanks

Which is the correct way to filter/block traffic between vlans?

Hi all. My question is: Which is the correct way to filter/block traffic between vlans?
i have a more than 15 vlans. I want to block traffic between them except 2 vlans.
source vlan 3 deny destination vlan 4
#access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
and the oposite:
#access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
I have to do this for all VLANs, ono by one. Is that right?
Thanks.

There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Snooping traffic between zones?

Similar Messages

Maybe you are looking for