10-06-2008 08:59 AM - edited 03-06-2019 01:47 AM
ISP
|
-------Sniffer
|
BDR FW
|
Public Server
|
CORP FW
|
Private LAN
Here is my dilemma:
I am trying to access a site beyond my ISP.
What I've done:
Have set policy on "BDR FW" to explicitly allow all connections on any port to specific external site.
Used TCPDUMP on "Public Server" and have seen connection come back
Have seen policy on "BDR FW" matched.
Used TCPDUMP on "Private Lan" machine and with no replies.
Have seen policy on "BDR FW" matched.
Used TCPDUMP on "Sniffer" (Only sees connections inbound and not outbound??)
Have seen replies to "BDR FW" from external site.
Have seen replies to "Public Server" from external site.
Have NOT seen replies to "Private LAN" machine from external server.
10-06-2008 09:08 AM
Are you Natting the private LAN IP addresses before they go out onto the Internet ?
Jon
10-06-2008 09:34 AM
yes at the corp FW
10-06-2008 09:40 AM
"Have NOT seen replies to "Private LAN" machine from external server."
You won't see replies to the private LAN machine you will only see replies to the Corp firewall address that you are using for Natting the source IP addresses.
Are you not seeing any replies to this address. I'm assuming the address you are using on the Corp FW is routable on the Internet.
Jon
10-06-2008 12:06 PM
Sorry if this is repost, I refreshed a couple of times and did not see it applied.
yes I understand. I do apologize for the incorrect wording. And no I do not see any replies to the Corp FW external interface.
BTW, I called my ISP and they informed me that they can see traffic going to the site but not from the site to the Corp FW.
Furthermore, the ISP said they can see packets from and to the "Public Server", and that they are advertising the route the includes both addresses.
Is it me, or does it seem the specific site is blocking the Corp FW IP?
10-06-2008 12:16 PM
If the Corp Firewall address that you use to NAT the internal private IP addresses is part of the same subnet as the "Public Server" then it does seem to be a problem with the remote site. This is assuming that your Corp FW has a default route pointing to the BDR FW.
If the Corp FW address that you use to NAT the internal private IP addresses is not out of the same subnet as the "Public Server" then you need to check with ISP that this address is
a) routed back to the BDR FW
b) the BDR FW knows it has to route this address to the Corp FW
Note that i am assuming the "Public Server" has an IP address out of the same subnet as the internal interface of the BDR FW.
The only other thing you can do is to try and setup the sniffer to capture outbound as well as inbound packets.
Jon
10-06-2008 12:31 PM
Ok.
Yes the Corp FW, Public Server, and BDR FW interfaces are all in the same subnet.
My only issue with it being on our side, is that the ISP sees us going out but no replies coming back. Doesn't it seem like it is being dropped prior to the ISP if the ISP does not see a reply coming back?
As for a) and b), we are able to get to our Corp FW on from our home PCs on specified ports, and we are able to browse other internet sites, which means our ISP knows how to get back to us.
Nonetheless, thanks for the ideas and fresh brains on this issue.
Thanks,
Richard
10-06-2008 12:36 PM
Richard
"Doesn't it seem like it is being dropped prior to the ISP if the ISP does not see a reply coming back?"
Agreed.
Let me know if you get a resolution to this.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide