02-14-2008 04:37 AM - edited 03-11-2019 05:02 AM
Hi,
Here i showed some diff of established connections.more over i have given all the necessary access in my firewall.but there were no data flow..only sing connections are establishing. these connections are happening after passing some diff hops from outside to inside.kinldy let me know from which part i have to troubleshoot(firewall r router r application part)
TCP out 10.2.79.178:3833 in 10.2.40.35:8000 idle 0:01:35 Bytes 0 flags SaAB
TCP out 10.1.139.162:4373 in 10.2.40.35:8000 idle 0:01:42 Bytes 0 flags SaAB
i need to establish the connections with data flow...then only it would be a meaning full connection
02-14-2008 05:24 AM
"B" indicates initial syn from outside to inside, A (awaiting for synack)
This means your local server did not respond with a SYN ACK for this SYN request that was generated from outside
check the default gateway on your local server 10.2.40.35..
02-14-2008 06:49 AM
Thanks abinjola.
Gateway seems to be correct.
Outside(10.x)---R1--R2--F--CrSw---Server(10.2.40.35)
R-router
F-Firewall
CrSw-CoreSwitch
Server gateway given as a CrSw management ip.
If i tracert from outside to server..it is stopped up to R2..I think Firewall won't show the interface ip's..Once connections are established means there is no prolem with Firewall end rite...
02-14-2008 07:05 AM
well yes you are correct..tracert doesn't show up firewall interfaces ips as hops, check if you are blocking icmp of r2 or firewall outside interface , thats the reason tracert or ping not going through
Coming down to original issue it seems either the switch(CrSW) or server is dropping and not replying to syn request
set the packet captures on inside interface of pix which would verify if there is any return reply from the server
access-l abc permit ip host <10.x.x.x> host 10.2.40.35
access-l abc permit ip host 10.2.40.35 host 10.x.x.x
capture cpi access-l abc packet-length 1518 interface inside
10.x.x.x-->is the outside source ip
sh capture cpi (after you initiate test)
ALso take syslogs at debug level which would show syntimeout
02-15-2008 01:18 AM
Hi,
Thanks for ur response. U r absolutely correct. The link which was terminated in R2 router is the redundant link..primry link is terminated in some other router with one more firewall(F2) resides in CrSW.So already we have return route in CrSw tends to F2. So we can not add one more route in the same devices (CrSw) for same destination. It will happen only we have to change the route manually when the link goes down r If u have any other solution kindly let me know.The big limitation here is we are uanble to change the design..we have to achieve the route with the present design only..I think it will not possible..Possible only with manual router change.
02-15-2008 01:34 AM
I am glad we were able to figure it out...
Now we need a route on CrSW back to FW since the original source IP from outside is not Natted , but if you nat the source IP to firewall inside interface as well (called outside NAT) then the switch would receive the packet with source being translated to firewall inside ip address, and therefore for return reply the firewall would proxy and packet would go through..
add this
nat (outside) 1
global (inside) 1 interface
see if this works !
02-23-2008 02:42 AM
Hi abjnjola,
Thank q very much for ur response..Unable to check it out.My router team acheived it through router level itself..I think it will work..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide