06-25-2008 04:37 AM - edited 03-11-2019 06:04 AM
Hi
I am trying to get RADIUS traffic thru and FWSM.
Inbound:
interface Vlan817
nameif NetworkServices
security-level 20
ip address 10.128.1.81 255.255.255.240
Outbound:
interface Vlan777
nameif TestLDAP
security-level 100
ip address 10.128.1.129 255.255.255.252
I have a very basic config on this firewall and a "permit udp any any" plus a "permit ip any any" in the ACL.
TCP conversations come through no problem. e.g. I can TELNET from SRC to DST. However I cant seem to get the UDP traffic thur.
I have configured a CAPTURE and can see the radius traffic hitting the interface.
127: 17:00:14.3775773538 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 344
128: 17:00:14.3775773698 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 379
129: 17:00:15.3775774088 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 413
130: 17:00:15.3775774088 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 417
However, I get no hits on the ACL. PERMITs or DENYs.
Its as if the UDP traffic is getting dropped before being processed thru the ACL.
Any ideas?
Thanks
Senan
06-25-2008 08:31 AM
have you an acl "permit ip any any" applied to the inside interface?
06-25-2008 11:43 PM
No
I just have an ACl applied on the outside interface:
interface Vlan817
nameif NetworkServices
security-level 20
ip address 10.128.1.81 255.255.255.240
Thats where the UDP traffic ones from.
I have no relevant ACL on the inside interface. Just ACE entries for other traffic.
interface Vlan777
nameif TestLDAP
security-level 100
ip address 10.128.1.129 255.255.255.252
Thanks
Senan
06-25-2008 11:45 PM
Correction
I have a permit ip any any at the end of the inside interface ACL. These interfaces are still in test...
Is this the problem???
Thanks
Senan
06-26-2008 09:26 PM
Could you show the config.
On FWSM traffic from high security level to low security level is DENYED.
That is the diffrence between FWSM and ASA
so you must have
access-list INSIDE_IN permit ip any any
access-group INSIDE_IN in int inside
06-27-2008 12:07 AM
Yes
I was aware of this. I have permit ip any any on both ingress and egress interfaces as these interfaces are still under test.
Heres some captures on the ingress interface:
fwcwkwdmzcore1/NetworkServices(config)# access-list capture-acl extended permit ip 10.128.2.224 255.255.255.224 10.128.4.240 255.2$
fwcwkwdmzcore1/NetworkServices(config)# access-list capture-acl extended permit ip 10.128.4.240 255.255.255.240 10.128.2.224 255.2$
fwcwkwdmzcore1/NetworkServices(config)# Access Rules Download Complete: Memory Utilization: 1%
fwcwkwdmzcore1/NetworkServices(config)# capture udp-ldap-1 access-list capture-acl interface NetworkServices buffer 1024 packet-le$
fwcwkwdmzcore1/NetworkServices(config)# capture udp-ldap-2 access-list capture-acl interface TestLDAP buffer 1024 packet-length 86
fwcwkwdmzcore1/NetworkServices(config)#
fwcwkwdmzcore1/NetworkServices(config)# sh capture udp-ldap-1
10 packets captured
1: 13:31:35.3936081228 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 378
2: 13:31:36.3936081558 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 395
3: 13:31:36.3936081608 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 416
4: 13:31:36.3936081608 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 420
5: 13:31:36.3936081688 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 385
6: 13:31:36.3936081828 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 410
7: 13:31:36.3936082058 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 410
8: 13:31:36.3936082378 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 380
9: 13:31:37.3936082468 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 314
10: 13:31:37.3936082538 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 344
10 packets shown
fwcwkwdmzcore1/NetworkServices(config)#
fwcwkwdmzcore1/NetworkServices(config)# sh capture udp-ldap-2
0 packet captured
0 packet shown
fwcwkwdmzcore1/NetworkServices(config)#
I have already captured the egress interface which tells me the UDP traffic is not passing through the firewall.
I am also pretty certain that the UDP traffic is not hitting the ACL on the ingress interface as there are not hits, either permit or deny for any UDP traffic.
Is there something else happening between the CAPTURE and the ACL processing that may be dropping the packets?
Heres the complete config attached:
Thanks for helping with this.
Senan
06-27-2008 12:36 AM
could you explain to me
1: 13:31:35.3936081228 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 378
so you caught the packet with souce ip address 10.128.2.226 in Vlan#817
But should be Vlan#192
!
interface Vlan817
nameif NetworkServices
security-level 20
ip address 10.128.1.81 255.255.255.240
!
!
interface Vlan192
nameif 3GRadioTesting
security-level 100
ip address 192.168.2.252 255.255.255.0
!
06-27-2008 12:44 AM
The source packet 10.128.2.226 comes in from VLAN817 NetworkServices and should be routed out VLAN777 TestLDAP.
VLAN192 is not involved in this flow.
Why do you think it is?
Thanks
Senan
06-27-2008 01:18 AM
oops... sorry...
you a right.
Let me to think.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: