Issue getting out to specific site (troubleshooting included)

Unanswered Question
Oct 6th, 2008
User Badges:

ISP

|

-------Sniffer

|

BDR FW

|

Public Server

|

CORP FW

|

Private LAN



Here is my dilemma:


I am trying to access a site beyond my ISP.


What I've done:

Have set policy on "BDR FW" to explicitly allow all connections on any port to specific external site.


Used TCPDUMP on "Public Server" and have seen connection come back

Have seen policy on "BDR FW" matched.


Used TCPDUMP on "Private Lan" machine and with no replies.

Have seen policy on "BDR FW" matched.


Used TCPDUMP on "Sniffer" (Only sees connections inbound and not outbound??)

Have seen replies to "BDR FW" from external site.

Have seen replies to "Public Server" from external site.

Have NOT seen replies to "Private LAN" machine from external server.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Mon, 10/06/2008 - 09:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Are you Natting the private LAN IP addresses before they go out onto the Internet ?


Jon

Jon Marshall Mon, 10/06/2008 - 09:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"Have NOT seen replies to "Private LAN" machine from external server."


You won't see replies to the private LAN machine you will only see replies to the Corp firewall address that you are using for Natting the source IP addresses.


Are you not seeing any replies to this address. I'm assuming the address you are using on the Corp FW is routable on the Internet.


Jon

rsvensson Mon, 10/06/2008 - 12:06
User Badges:

Sorry if this is repost, I refreshed a couple of times and did not see it applied.


yes I understand. I do apologize for the incorrect wording. And no I do not see any replies to the Corp FW external interface.


BTW, I called my ISP and they informed me that they can see traffic going to the site but not from the site to the Corp FW.


Furthermore, the ISP said they can see packets from and to the "Public Server", and that they are advertising the route the includes both addresses.


Is it me, or does it seem the specific site is blocking the Corp FW IP?

Jon Marshall Mon, 10/06/2008 - 12:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If the Corp Firewall address that you use to NAT the internal private IP addresses is part of the same subnet as the "Public Server" then it does seem to be a problem with the remote site. This is assuming that your Corp FW has a default route pointing to the BDR FW.


If the Corp FW address that you use to NAT the internal private IP addresses is not out of the same subnet as the "Public Server" then you need to check with ISP that this address is


a) routed back to the BDR FW

b) the BDR FW knows it has to route this address to the Corp FW


Note that i am assuming the "Public Server" has an IP address out of the same subnet as the internal interface of the BDR FW.


The only other thing you can do is to try and setup the sniffer to capture outbound as well as inbound packets.


Jon

rsvensson Mon, 10/06/2008 - 12:31
User Badges:

Ok.


Yes the Corp FW, Public Server, and BDR FW interfaces are all in the same subnet.


My only issue with it being on our side, is that the ISP sees us going out but no replies coming back. Doesn't it seem like it is being dropped prior to the ISP if the ISP does not see a reply coming back?


As for a) and b), we are able to get to our Corp FW on from our home PCs on specified ports, and we are able to browse other internet sites, which means our ISP knows how to get back to us.


Nonetheless, thanks for the ideas and fresh brains on this issue.


Thanks,

Richard

Jon Marshall Mon, 10/06/2008 - 12:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


"Doesn't it seem like it is being dropped prior to the ISP if the ISP does not see a reply coming back?"


Agreed.


Let me know if you get a resolution to this.


Jon


Actions

This Discussion