Tracing a Route passing through firewall

Similar Messages

• Tracing a route passing through ASA

  Hi Everyone,
  Need help on tracing a route IP 192.168.27.0  that is passing through ASA
  i did sh route on ASA
  S    192.168.27.0 255.255.255.0 [1/0] via 192.168.101.14, Xnet
  so this means that this ASA is learning this route statically through int Xnet  right ?
  when i do sh int on ASA  it shows Xnet as interface.
  what should be my next step?
  also i am able to ping this IP from ASA  but whne i do sh arp it does not show this IP 192.168.27.251 and mac address
  Thanks
  Mahesh
  Message was edited by: mahesh parmar

  So I presume you have ASA5550 or you have bought addiotional 4 GigabitEthernet module.
  When you look at the ASA from the side where the physical ports are
  The usual ports (without the module) should be in the Right side
  The modules ports should be on the Left side
  The module should contain 8 ports
  4 Ports are for SFP slots (usually for fiber connections)
  4 Ports are for basic Ethernet connectivity
  The configuration should have some line "media-type" which defines which type is used "rj45" of "sfp"
  rj45 for Ethernet
  sfp for SFP module
  So GigabitEthernet 1/2 port should be to my understanding either the Third Ethernet or Third SFP port of the module depending on the above port configuration mentioned (media-type rj45/sfp)
  The ports GigabitEthernet0/0 - x are the ports that are in every ASA, Ports GigabitEthernet1/0 - x are the expansion modules ports
  Hope this helps. Hopefully I remembered that right.
  - Jouni

• Traffic not passing through firewall

  Ive got a problem with passing traffic through a Cisco 515e firewall.
  im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x
  ive configured a group called infrastructure and added the 10.x.x.x addresses.
  ive configured acl 101 inbound on the outside interface:
  access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
  theres a route to the inside net:
  inside 172.16.0.0 255.255.0.0 172.16.163.1
  and theres a translation:
  static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255
  when i try and connect, using a packet capture  I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface
  ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok.
  access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
  does anyone have any idea what is wrong?

  Hi Michael,
  Please post the output from below command.
  packet-tracer input outside icmp 10.4.4.34 8 0 172.16.163.7
  You may have to allow icmp travers temporarily on the ACL 101, to check the reachability.  
  Look forward to hear from you.
  thanks
  Rizwan Rafeek
  Message was edited by: Rizwan Mohamed

• IPSec pass-through in IOS router

  Is there any command need to enable IPSec pass-through on 2800 router?

  Assuming there are no ACLs on the interfaces, no. If there are ACL's on the interface(s) then you will need to allow it through via the ACL.
  HTH and please rate.

• Black box able to log traffic passing through...

  Hi
  I'm looking for a box able to sniff the tcp/ip traffic (source ip address, destination ip address and ports) passing from it's ingress interface to the egress interface and viceversa (useful the bypass option if this box fails) without any change of the traffic passing through, just logging it and sending this log to a syslog server.
  We need it as solution to be compliant with the new police law against computer criminals where is written that all the internet traffic has to be logged (we offer sometimes transparent internet access to our customers where we do not put any kind of equipment as firewall, proxy or something else, only the router providing the internet access).
  Do you know if Cisco provide something like that ? Other vendors ?
  Any other idea how to be compliant with this request ?
  Thanks
  Pls advise
  Ric

  Cisco Intrusion Prevention System Sensor can be used to log ip traffic. You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged

• Only some of the traffic passing through inline vlan pair

  Here is my network setup
     firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
  configuration in core switch
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  interface GigabitEthernet1/2.37
  description **** ****
  encapsulation dot1Q 237
  ip vrf forwarding VRF37
  ip address 10.2.37.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.37.75
  standby 1 priority 110
  standby 1 preempt
  interface TenGigabitEthernet9/1.11
  description ****   ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  configuration in Distribution switch:
  interface TenGigabitEthernet9/1.11
  description ****  ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.37
  description ********
  encapsulation dot1Q 337
  ip vrf forwarding VRF37
  ip address 10.2.37.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  i  have seggregated  n/w like this. i am using inline vlan  pair , to pass all the traffic through the IDSM module ,
  i am using the monitoring port gi0/8
  config in core switch
  intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
  IDSM
  physical-interfaces GigabitEthernet0/8
  subinterface-type inline-vlan-pair
  subinterface 11
  description
  vlan1 211
  vlan2 311
  exit
  subinterface 37
  description
  vlan1 237
  vlan2 337
  exit
  Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
  MAC statistics from interface GigabitEthernet0/8
     Statistics From Subinterface 11
        Statistics From Vlan 211
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
        Statistics From Vlan 311
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
  Statistics From Subinterface 37
        Statistics From Vlan 237
           Total Packets Received On This Vlan = 3189658726
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3549575166
           Total Bytes Transmitted On This Vlan = 64165872092928
        Statistics From Vlan 337
           Total Packets Received On This Vlan = 3549575166
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3189658726
           Total Bytes Transmitted On This Vlan = 64165872092928
     Statistics From Subinterface 38
        Statistics From Vlan 238
           Total Packets Received On This Vlan = 2215151150
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 126546964
           Total Bytes Transmitted On This Vlan = 64165866995200
        Statistics From Vlan 338
           Total Packets Received On This Vlan = 126546964
           Total Bytes Received On This Vlan = 64165866995200
           Total Packets Transmitted On This Vlan = 2215151150
           Total Bytes Transmitted On This Vlan = 64165872092928
  Give me idea experts , so that i can resolve this issue.
  Help me thanks in advance

  I believe the issue is because of the config below:
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  As you can see we have 2 ip subnets in the VRF 11 .73 &  .2 in vlan 211 & 311 respectively.
  The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
  What we need to remember is IDSM does not do routing, and it can only bridge vlans.
  Hence we have to force to packet to go through the IDSM.
  Here is what we do when we use IDSM to see traffic going between vlans.:
  Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
  IDSM2 in inline mode necessitates an additional artificial Vlan on the  SAME subnet as the Vlan you wish to sense.
  A layer 3 switch  interface  needs to be configured within this additional artificial Vlan.
  In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
  In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
  I can understand if this is a bit tricky to understand.
  Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
  It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
  https://supportforums.cisco.com/docs/DOC-12206
  - Sid

• Guest LAN and DHCP Options not passing through

  Managed to get the Guest LAN up and running for wired clients and all's working well.  Users are sat behind a proxy and if I force the use of a appropriate wpad file I can get the WLC auth to happen and then push off to the proxy.
  I'm trying to use option 252 in DHCP to present the WPAD url.  Only issue that happens is that while the DHCP server on the egress interface is handing out addresses to clients on the ingress interface correctly, the WLC doesn't appear to be handing through the option 252 I have set in DHCP.  I've used network monitor to see what the dhcp request process is dishing out in terms of options, and all look good if I'm not behind the WLC.
  Anyone know if theres a limitation on the WLC that prevents DHCP options being passed through to the guest LAN?
  TIA

  When configured as a DHCP server, some of the firewalls do not support DHCP requests from a relay agent. The WLC is a relay agent for the client. The firewall configured as a DHCP server ignores these requests. Clients must be directly connected to the firewall and cannot send requests through another relay agent or router. The firewall can work as a simple DHCP server for internal hosts that are directly connected to it. This allows the firewall to maintain its table based on the MAC addresses that are directly connected and that it can see. This is why an attempt to assign addresses from a DHCP relay are not available and the packets are discarded. PIX Firewall has this limitation.
  For more information please refer to the link-http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml

• IPSec Pass Through on ASA

  I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.
  Any thoughts?

  Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?
  Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..
  packet-tracer input outside udp 500 500 detail
  If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?
  Please reply with packet-tracer results.
  Kind Regards,
  Kevin
  **Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

• How can I see how much data passes through my Time Capsule?

  I am thinking of using a cellular data plan at home. My current, rural internet provider is slow and unreliable. I use a MiFi as a backup and have 4G service which is much faster and rarely goes down. I need to see how much data is downloaded and uploaded to compare costs. All our data passes through my Time Capsule.

  A similar app to what Bob mentions is peakhour.. it works on any of the newer OS.
  https://itunes.apple.com/au/app/peakhour/id468946727?mt=12
  It is a good app. BUT.. fat ugly BUTT.. just the same as Bob has explained, it depends on SNMP to work.. and so due to apple removing a very useful and functional protocol from its airport range you can no longer use it. Bizarre.
  I strongly recommend a Netgear WNDR3800 (older model now but you can pick up one cheaply on ebay) and a 3rd party firmware called gargoyle. Apple delete my posts if I point you to it, so you will have to search yourself.
  Replace your tall TC with the Netgear as the main router.. bridge the TC to it and you can continue to use its wireless and for TM backups. The advantage is that gargoyle will not only measure everyones usage, by IP, it is able to set a quota on everyone using the net and you can set that quota for hourly, daily or weekly or monthly. It will track the usage and you can see at a glance what everyone has used.
  It is simple to load.. just like a standard firmware update. The interface is as clear as anyone can make it with such of lot of tools. And the actual router is powerful enough to provide excellent QoS and parental controls on top of measurements and quota.

• RV042G cannot support more than 2-3 IPSec Pass through connections

  Hi,
  I'm trying to figure out what the max number of IPSec VPN pass through connections the RV042G can handle.  We bought an RV042G router to replace our old RV042 box which was running into connection limitations.  There are approximately 15 people in the office and anywhere from 5-8 of them need to vpn to a single client site.   There seems to be an issue with UPNP where it creates the proper port forwarding but doesn't associate it with an internal IP address.  Giving each workstation a static internal IP doesn't solve this issue.  The remote site we are connecting to does have NAT-T turned on.  What ends up happening is that after a while, users cannot vpn.  Sometimes it happens with fewer than three users.  Clearing the UPNP and rebooting the router helps but eventually if you connect and disconnect, a few times, you're hosed.   The UPNP doesn't release the setting it makes in a timely fashion.  Is there any way to fix this besides turning off UPNP which we need for other software to work?

  Lenovo support (for me in Canada at least) is based in Atlanta, so I'm surprised you found a tech with bad English...
  Your problems sound like windows problems, not hardware problems -- are you running XP or Windows7? If you google based on your OS, there are threads to be found on slowing down the start menu behaviors.

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• OSB 11g with  PASS-THROUGH PROXY

  hello all,
  I my designing on latest Fusion Middleware 11g Release 1 (11.1.1.5.0)
  a http soap based osb proxy service wraped around owsm saml2.0- sender- vouches-message-protection service policy
  a http soap based osb business service wrapped around owsm saml2.0- sender- vouches-message-protection client policy
  a standalone client is calling this Passive Intermediary Proxy
  In case of pass-through proxy service,
  I would like to know that is it necessary that the policy contract between client --->proxy should be similar to proxy--->backend
  I think so, because proxy is not atall touching the entire stuff starting from <soap:envelope>.........</soap:envelope>
  So client-sent tokens etc. must match with what back end service requires.
  In general, what am I buying by routing the client call through pass-through proxy service if the back-end webservice requires that entire message must by encrypted. In this case there is nothing open for the proxy to view and make any decisions based on that through its pipeline pairs etc.

  Check out the following link...
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html

• Sip passing through nat but rtp is not - no audio

  Sip passing through nat but rtp is not
  I'm looking at traffic leaving my router with a sniffer. I see SIP traffic but I do not see RTP traffic.  The phones ring on both sides but I do not get any audio.
  interface f0/0.100
  ip address 192.168.10.1 255.255.255.0
  ip nat outside
  ip nat pool VoIP 192.168.10.1  192.168.10.1 prefix-length 24
  ip nat inside source route-map VoIP pool VoIP overload
  ip nat inside source static tcp 10.1.1.2 49201 192.168.10.54 49201 extendable
  access-list 1 permit ip host 10.1.1.2 any
  route-map VoIP permit 10
  match ip address 1
  match interface  f0/0.100
  set interface  f0/0.100

  Hello,
  You can enable "ip nat service sip" or "ip nat service h323" and "ip nat
  service h225" commands. As per the documentation, they are enabled by
  default. In the latest IOS there is a new feature added to Cisco IOS that
  ensures that even RTP packets get translated to one of the allowed ports as
  specified by the RFC. The command to enable the feature is "ip nat service
  allow-sip-even-rtp-ports"
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/pro
  d_white_paper0900aecd80597bc7.html
  Hope this helps.
  Regards,
  NT

• Modem Pass through to remote PBX

  Dear All,
  I would like to use the cisco router 3640 (with T1 card) and cisco 2621 (with 2 x FXS card) to simulate the network & pstn environment to test the modem pass through, here is the detail connection:
  Analog Phone (Ext: 451660) <--> [FXS] Cisco Router 2621 <---- LAN ----> Router 3640 [T1] <--> [T1] PBX (Panasonic) <--> Analog Phone (Ext: 454820, Modem)
  The dial-peer on the router 2621 & 3640 is working as I can call in/out from PBX analog phone, and I was success to connect the PC (with modem port, and use the hyperterminal, atdt454820) from Outside PC (with modem port, Ext: 451660).
  But I was fail to dial-out from PBX analog phone (454820) to 451660.
  From Cisco router 2600:
  dial-peer voice 45166 voip
  destination-pattern 45166.
  modem passthrough nse codec g711ulaw redundancy
  session target ipv4:192.168.0.60 (Router 3640)
  From Cisco router 3640
  dial-peer voice 454820 voip
  destination-pattern 454820
  modem passthrough nse codec g711ulaw redundancy
  session target ipv4:192.168.0.44 (Router 2600)
  Here is the link I try to follow to do:
  http://www.cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dtmodptr.html
  I would like to know if there is any miss-configure or how can I troubleshoot (to find out the cause) which I cannot connect from PBX' PC.
  Thanks!

  Note that anytime a call traverses a voice gateway, we match *two* dial-peers, not one.  We match one inbound, and one outbound.  In your scenario, if the FXS side originates the call, it would be:
  fxs(inbound pots)router(outbound voip)----LAN-----(inbound voip)router(outbound pots)---T1
  The algorithm for how this works is documented in this link.  I recommend having a few reads over this:
  http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a008010fed1.shtml
  If you can get these debugs, I can take a deeper look into the failure:
  debug voip ccapi inout
  debug isdn q931
  debug vpm sig
  debug h225 asn1
  debug h245 asn1
  Collect these in the following manner:
  Router(config)# service sequence
  Router(config)# service timestamps debug datetime msec
  Router(config)# logging buffered 10000000 7
  Router(config)# no logging con
  Router(config)# no logging mon
  Router(config)# voice iec syslog
  Router# term len 0
  Router# sh logg
  Also send the full configs of both gateways.
  -Steve

• Simple pass-through application

  I have a computer with 2 network connectors on it, and would like to write a very simple application to pass data from one connector to the other. This means that if I connect one connector to a router and the other to another computer, the second computer should behave as if it were directly connected to the router because the multi-homed machine is simply passing data back and forth.
  This code could form the basis of an application to log all of the data passed back and forth or to possibly filter the traffic that passes through. This is what I'd ultimately like to do, but for now, I'm still struggling with how to simply pass data back and forth, and do things like opening ports when requested.
  I'm not sure whether this is a very simple application (I think it is) or a very complex one. Anyone have any ideas how to do this simply? Any references to anyything like this?
  Sander Smith

  Maybe I'm not making myself clear about what I want to do.
  Let's say I have a computer with two NICs. In one of the NICs I'd like to plug a network-enabled web cam into. This web cam has a web server built into it, and will try to open port 80 for inbound connections. My computer should allow the web cam to "think" it is connected to a router and allow this to happen, and open up port 80 on the other NIC that's attached to a router on the real internet. Any browser that connects to this port 80 will have its requests simply forwarded to the web cam. Needless to say, anything that the web cam tries to do such as send data out should be mimicked on the on the interface. In this way, we've built a simple pass-through program that transparently passes data back and forth.
  It would seem that writing a little application to simply pass data from one NIC to the other should be very simple. Why would I want this? Well, I really don't. It is just the first step to building the real program where I allow some kind of filtering to happen on the data going by. For instance, imagine the web cam has no zoom feature. My program in the middle can provide this feature by watching the data go by, and simply zooming in on the images that are being returned. This is why using some existing program won't work for me: I want to be able to control the filtering in the middle.
  Anyone have any ideas on how to do this simply?
  Sander