cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
3
Helpful
7
Replies

Issue getting out to specific site (troubleshooting included)

rsvensson
Level 1
Level 1

ISP

|

-------Sniffer

|

BDR FW

|

Public Server

|

CORP FW

|

Private LAN

Here is my dilemma:

I am trying to access a site beyond my ISP.

What I've done:

Have set policy on "BDR FW" to explicitly allow all connections on any port to specific external site.

Used TCPDUMP on "Public Server" and have seen connection come back

Have seen policy on "BDR FW" matched.

Used TCPDUMP on "Private Lan" machine and with no replies.

Have seen policy on "BDR FW" matched.

Used TCPDUMP on "Sniffer" (Only sees connections inbound and not outbound??)

Have seen replies to "BDR FW" from external site.

Have seen replies to "Public Server" from external site.

Have NOT seen replies to "Private LAN" machine from external server.

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Are you Natting the private LAN IP addresses before they go out onto the Internet ?

Jon

yes at the corp FW

"Have NOT seen replies to "Private LAN" machine from external server."

You won't see replies to the private LAN machine you will only see replies to the Corp firewall address that you are using for Natting the source IP addresses.

Are you not seeing any replies to this address. I'm assuming the address you are using on the Corp FW is routable on the Internet.

Jon

Sorry if this is repost, I refreshed a couple of times and did not see it applied.

yes I understand. I do apologize for the incorrect wording. And no I do not see any replies to the Corp FW external interface.

BTW, I called my ISP and they informed me that they can see traffic going to the site but not from the site to the Corp FW.

Furthermore, the ISP said they can see packets from and to the "Public Server", and that they are advertising the route the includes both addresses.

Is it me, or does it seem the specific site is blocking the Corp FW IP?

If the Corp Firewall address that you use to NAT the internal private IP addresses is part of the same subnet as the "Public Server" then it does seem to be a problem with the remote site. This is assuming that your Corp FW has a default route pointing to the BDR FW.

If the Corp FW address that you use to NAT the internal private IP addresses is not out of the same subnet as the "Public Server" then you need to check with ISP that this address is

a) routed back to the BDR FW

b) the BDR FW knows it has to route this address to the Corp FW

Note that i am assuming the "Public Server" has an IP address out of the same subnet as the internal interface of the BDR FW.

The only other thing you can do is to try and setup the sniffer to capture outbound as well as inbound packets.

Jon

Ok.

Yes the Corp FW, Public Server, and BDR FW interfaces are all in the same subnet.

My only issue with it being on our side, is that the ISP sees us going out but no replies coming back. Doesn't it seem like it is being dropped prior to the ISP if the ISP does not see a reply coming back?

As for a) and b), we are able to get to our Corp FW on from our home PCs on specified ports, and we are able to browse other internet sites, which means our ISP knows how to get back to us.

Nonetheless, thanks for the ideas and fresh brains on this issue.

Thanks,

Richard

Richard

"Doesn't it seem like it is being dropped prior to the ISP if the ISP does not see a reply coming back?"

Agreed.

Let me know if you get a resolution to this.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: