View Traffic

Unanswered Question
Mar 23rd, 2007

Cisco 2620

LAN <-> ASA <-> 2620 <-> Internet


All internal clients are able to connect to the Internet (including icmp) but one. From the failed client I tried pinging to an outside source; the ASA shows traffic leaving the network but the ping fails. So, I ran a traceroute from the client and the route dies at the external interface of the 2620. The 2620 is basically wide open. Any ideas on why or how I can view traffic from the client when it touches the 2620?


Thanks!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
silrodri05 Fri, 03/23/2007 - 12:04

Rob,


One easy way to see this traffic is using ip account on the 2620, you can apply the ip account on inside interface of 2620 and see the traffic flow. To apply "ip account":

1 - conf t

2 - int f0/0 (ex.)

3 - ip accounting output-packets

4 - end



To see the traffic use "sh ip account". You can use others way to see this traffic, like debugs, SPAN and so on.


Best Regards,

Rodrigo

Jon Marshall Fri, 03/23/2007 - 12:10

Rob


Could you send the routing tables of the 2620 and the ASA and the source IP address of the client that is failing.


Jon

r-livermore Fri, 03/23/2007 - 13:01

***** 2620 *****

Gateway of last resort is 64.1.3.121 to network 0.0.0.0

64.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

C 64.1.16.64/27 is directly connected, Ethernet0/0

C 64.1.3.120/30 is directly connected, Serial0/0

S 64.1.16.0/24 [1/0] via 192.168.1.1

C 192.168.1.0/24 is directly connected, Ethernet0/0

S* 0.0.0.0/0 [1/0] via 64.1.3.121



***** ASA *****

S 0.0.0.0 0.0.0.0 [1/0] via 64.1.16.65, outside

C 64.1.16.64 255.255.255.224 is directly connected, outside

C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 172.16.1.0 255.255.255.0 is directly connected, dmz

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 192.168.11.0 255.255.255.0 is directly connected, mitel

C 192.168.12.0 255.255.255.0 is directly connected, inter-tel

C 192.168.13.0 255.255.255.0 is directly connected, toshiba

C 192.168.14.0 255.255.255.0 is directly connected, shoretel



***** Client *****

192.168.1.19/24

Gateway 192.168.1.0

silrodri05 Fri, 03/23/2007 - 13:07

Rob,


The client gateway is wrong.. 192.168.1.0 is the network address to net 192.168.1.0/24, fix this address and try again.


Best Regards.

Jon Marshall Fri, 03/23/2007 - 16:25

Rob


I'm a little confused.

Your ASA device shows the 192.168.1.x network being on the inside interface.

Your 2620 is saying that the 192.168.1.x network is directly connected on ethernet0.


Might be just having a bad moment but could you explain as your diagram in your original post seems to suggest this is not possible.


Are the other clients that work also out of the 192.168.1.x network ?


Jon

r-livermore Mon, 03/26/2007 - 12:19

Jon,

Maybe this will help clarify? "ip route" - which was asked for in an earilier post does not clearly display the interface configuration.


Yes the clients that work reside in the same subnet - 192.168.1.0/24.


2620

e0 64.1.16.65 - outside

s0 64.1.3.121

gw 64.1.3.122


ASA

e0 64.1.16.66 - outside

e1 192.168.1.1 - inside

gw 64.1.16.65


clients

192.168.1.0/24

gw 192.168.1.1


nyr.hakeem-habeeb Fri, 03/23/2007 - 20:01

Hi


to view packets from your clients touching the 2620 you could run the ffg on the 2620;



r1#term mon

r1#debug ip packet


****** sample output *******


Mar 24 02:54:20.649: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 40, forward

Mar 24 02:54:20.677: IP: tableid=0, s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:20.677: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 260, forward

Mar 24 02:54:20.677: IP: tableid=0, s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:20.677: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 40, forward

Mar 24 02:54:20.693: IP: s=86.133.111.30 (Vlan100), d=198.133.219.25 (Dialer0), g=198.133.219.25, len 40, forward

Mar 24 02:54:20.693: IP: s=86.133.111.30 (Vlan100), d=198.133.219.25 (Dialer0), g=198.133.219.25, len 40, forward

Mar 24 02:54:20.873: IP: tableid=0, s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:20.873: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 40, forward

Mar 24 02:54:21.389: IP: tableid=0, s=192.168.1.4 (local), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:21.513: IP: s=192.168.1.3 (Vlan100), d=224.0.0.5, len 84, rcvd 0

*********************************************


to switch off you could "u al", you could also create an access-list to match only traffic your interested, e.g "debug ip packet 100"


Thanks



r-livermore Mon, 03/26/2007 - 12:22

I've never tried using ffg but I'll give it a whirl, thanks for the tip!

r-livermore Tue, 03/27/2007 - 07:44

Can someone please clarify defining an access-list?


Is it as simple as:

r1#access-list 100 permit ip any host 192.168.1.19


Then:

r1#ip access-group 100 out


or am I oversimplifying?

oquinones Mon, 07/16/2007 - 08:49

Good afternoon :

I am in a similar situation as far analyzing the traffic hitting my 2621 as well its response to it.


What does the "routed via RIB" means at the end of the log transaction. Is there any difference between the "forward" and the " routed via RIB".

Actions

This Discussion