cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
8
Replies

FWSM 3.1(5) UDP Problem

3ssheedy
Level 1
Level 1

Hi

I am trying to get RADIUS traffic thru and FWSM.

Inbound:

interface Vlan817

nameif NetworkServices

security-level 20

ip address 10.128.1.81 255.255.255.240

Outbound:

interface Vlan777

nameif TestLDAP

security-level 100

ip address 10.128.1.129 255.255.255.252

I have a very basic config on this firewall and a "permit udp any any" plus a "permit ip any any" in the ACL.

TCP conversations come through no problem. e.g. I can TELNET from SRC to DST. However I cant seem to get the UDP traffic thur.

I have configured a CAPTURE and can see the radius traffic hitting the interface.

127: 17:00:14.3775773538 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 344

128: 17:00:14.3775773698 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 379

129: 17:00:15.3775774088 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 413

130: 17:00:15.3775774088 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 417

However, I get no hits on the ACL. PERMITs or DENYs.

Its as if the UDP traffic is getting dropped before being processed thru the ACL.

Any ideas?

Thanks

Senan

8 Replies 8

a.alekseev
Level 7
Level 7

have you an acl "permit ip any any" applied to the inside interface?

No

I just have an ACl applied on the outside interface:

interface Vlan817

nameif NetworkServices

security-level 20

ip address 10.128.1.81 255.255.255.240

Thats where the UDP traffic ones from.

I have no relevant ACL on the inside interface. Just ACE entries for other traffic.

interface Vlan777

nameif TestLDAP

security-level 100

ip address 10.128.1.129 255.255.255.252

Thanks

Senan

Correction

I have a permit ip any any at the end of the inside interface ACL. These interfaces are still in test...

Is this the problem???

Thanks

Senan

Could you show the config.

On FWSM traffic from high security level to low security level is DENYED.

That is the diffrence between FWSM and ASA

so you must have

access-list INSIDE_IN permit ip any any

access-group INSIDE_IN in int inside

Yes

I was aware of this. I have permit ip any any on both ingress and egress interfaces as these interfaces are still under test.

Heres some captures on the ingress interface:

fwcwkwdmzcore1/NetworkServices(config)# access-list capture-acl extended permit ip 10.128.2.224 255.255.255.224 10.128.4.240 255.2$

fwcwkwdmzcore1/NetworkServices(config)# access-list capture-acl extended permit ip 10.128.4.240 255.255.255.240 10.128.2.224 255.2$

fwcwkwdmzcore1/NetworkServices(config)# Access Rules Download Complete: Memory Utilization: 1%

fwcwkwdmzcore1/NetworkServices(config)# capture udp-ldap-1 access-list capture-acl interface NetworkServices buffer 1024 packet-le$

fwcwkwdmzcore1/NetworkServices(config)# capture udp-ldap-2 access-list capture-acl interface TestLDAP buffer 1024 packet-length 86

fwcwkwdmzcore1/NetworkServices(config)#

fwcwkwdmzcore1/NetworkServices(config)# sh capture udp-ldap-1

10 packets captured

1: 13:31:35.3936081228 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 378

2: 13:31:36.3936081558 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 395

3: 13:31:36.3936081608 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 416

4: 13:31:36.3936081608 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 420

5: 13:31:36.3936081688 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 385

6: 13:31:36.3936081828 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 410

7: 13:31:36.3936082058 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 410

8: 13:31:36.3936082378 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 380

9: 13:31:37.3936082468 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 314

10: 13:31:37.3936082538 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 344

10 packets shown

fwcwkwdmzcore1/NetworkServices(config)#

fwcwkwdmzcore1/NetworkServices(config)# sh capture udp-ldap-2

0 packet captured

0 packet shown

fwcwkwdmzcore1/NetworkServices(config)#

I have already captured the egress interface which tells me the UDP traffic is not passing through the firewall.

I am also pretty certain that the UDP traffic is not hitting the ACL on the ingress interface as there are not hits, either permit or deny for any UDP traffic.

Is there something else happening between the CAPTURE and the ACL processing that may be dropping the packets?

Heres the complete config attached:

Thanks for helping with this.

Senan

could you explain to me

1: 13:31:35.3936081228 802.1Q vlan#817 P0 10.128.2.226.38229 > 10.128.4.243.1813: udp 378

so you caught the packet with souce ip address 10.128.2.226 in Vlan#817

But should be Vlan#192

!

interface Vlan817

nameif NetworkServices

security-level 20

ip address 10.128.1.81 255.255.255.240

!

!

interface Vlan192

nameif 3GRadioTesting

security-level 100

ip address 192.168.2.252 255.255.255.0

!

The source packet 10.128.2.226 comes in from VLAN817 NetworkServices and should be routed out VLAN777 TestLDAP.

VLAN192 is not involved in this flow.

Why do you think it is?

Thanks

Senan

oops... sorry...

you a right.

Let me to think.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: