Capture on firewall

Unanswered Question
Nov 11th, 2009

A problem wherein a https website hosted inside one of the dmz segments is not working from the web.

I did some captures but they dont let me anywhere.

Internet--Router--Level1Firewall--Level2Firewall(module on 6509)--Router(leaseline link)--Router(LL link)--Core Switch--Firewall3

The server is on dmz leg of Firewall3. Rules are put in place to ensure traffic is allowed on Level1/Level 2 firewall & firewall 3.

Nat is being used on the level 1 firewall. i can see the traffic request on level 2 firewall towards the server. But none on the Firewall 3. ping connectivity from Level1firewall to this server and back is good.

nat bypass rules & static translation is been put on firewall3.

Request will get in to Firewall 3 by an interface called local and then it should go to the dmz zone to fetch the page.

I tried geting capture on level 3 firewall by having acl placed on the local interface as well as dmz interface. I can see the request towards server but only with Syn set.

Nothing else is seen on firewall 3 or on Level2 firewall. Which interface and how should the capture be applied for best results.

Please suggest.

Thank You!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
francisco_1 Wed, 11/11/2009 - 06:29

easier to troublshoot is if you have something to sniff each layers between your firewalls & switches to look at the traffic flow. the flow you are looking is at the firewall level!

what firewalls are u using in each level?

suthomas1 Wed, 11/11/2009 - 06:54

level 1 is a non cisco make, level 2 & firewall 3 are fwsm & asa respectively.

i cant use sniffer on this setup for security reasons.

francisco_1 Wed, 11/11/2009 - 08:05

if you have a proper diagram with layer 1& 2 information include configs for each firewall that would help to troubleshoot...

suthomas1 Thu, 11/12/2009 - 05:06

Thank You for the response. diag is the attached topology. Server is on Site B and access will always be using Site A as transit.

Following are the highlights of each component:

Firewall 1:

nat is done here for the server ip.

the source is set to be source natted to the firewall's local ip, so that requests reaching further inside the network are seen as local ip of the firewall.(this is to overcome any issues, as SiteB also has its own internet link, which is not to be used for this purpose.)

All rules are correspondingly set.

Level2 Firewall:

rules to allow the access

Firewall3:

Server is connected on the dmz area of this firewall via a layer2 switch

Rules are allowed to permit the request to server on its "Input" interface connected to 6500switch.(coming from SiteA).

no connections are seen on firewall 3 logs when any attempt is made to connect to server. only capture gives syn towards server on the "Input" interface.

connections leaving on Level2 firewall can be seen for request to server on both ingress & egress interface & capture output gives syn flags set on Firewall 2 for the request to server.

Please suggest, also let know if the information is unclear.

Thank You.

Attachment: 
khaderbasha Thu, 11/12/2009 - 08:21

I would check if LL Router 2 is sending traffic towards firewall 3 , create a temp access-list and log it if it is hit.

I assume your 6500 switch at StieB is L-2 switch.

suthomas1 Thu, 11/12/2009 - 09:01

Site B 6500 is acting in L3 mode.

I can ping across from LL Router 2 to the destination.

Apologies, left out to include in the diagram. Site B has its own internet link which is not to be used. There are nat0 rules to prevent some local subnets going out of that & i did add my subnets in question to test, but still doesnt work.

Another thing i found is on firewall 3

"Denied ICMP type=0, from laddr Test_Server on interface DMZ to 10.59.59.102: no matching session"

This was when i tried ping to server from the layer 3 switch at site B.10.59.59.102 is the IP of the interface on Layer 3 switch connected to inside of firewall 3.

Please suggest

Thank You.

suthomas1 Thu, 11/12/2009 - 21:58

Thanks All for intent to help out.This was resolved, but appeared quite strange.

I added the source subnet onto the firewall 3 within an existing object group.

But before this , i had used a specific single line rule for the purpose.

I am perplexed as to whether object group rules take priority rather than more specific rules.

The specific rules should be used as long as there is no rule above or below which is much more precise.

Any thoughts.

Actions

This Discussion