Debug Router Traffic

Unanswered Question
Dec 21st, 2009

I am having a problem routing ip traffic with port numbers from one LAN to another.

I have two networks 192.168 and 10.100.  I can successfully connect to devices from the 192 network to the 10 network and from the 10 network to the 192 network.  I am also able to access the internet via a proxy sitting on the 192 network from the 10 network.

My problem is that when I try to connect to an IP using s specific port number (for example FTP).  I am unable to connect from the 10 network to an ftp server on the 192 network.  I am also unable to connect from the 10 network to an FTP server on the internet.

To complicate matters I am unble to determine the route the ftp traffic is going (from the 1 network).  I have plaed wireshark on the 10 network and the 192 network and see the packets leaving the workstatiion but not being ACKnowledged.  I also do not see the traffic being received on the 192 network.

I have run several debug commands on the router (for IP packets, access-lists, NAT etc) but do not see this traffic on the router.  I enabled IP accounting and still do not see the (FTP) traffic).

I included the config for your review.

Can anyone tell me what other commands (debug or other) I can use on the router to 'find' this traffic so I can determine where it is going soI can resolve the issue?

Thanks,

Kerry

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ohassairi Mon, 12/21/2009 - 21:37

in your config you r defining acl 127 and 128 under g0/1/0 but these acl r not defined! r they missing or what?

interface GigabitEthernet0/1/0
Desc 2nd LAN
ip address 10.100.0.1 255.255.128.0
ip access-group 128 in
ip access-group 127 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip nat inside
negotiation auto

also we need what is the exact test you made: source ip ? destination ip? tool to make the test (telnet, software,...)

k.moser Wed, 12/23/2009 - 04:57

As an additional test and to make sure an ACL wasn't stopping traffic I created these two ACLs but did not define them.  I did this to pass all traffic.

(creating an ACL that isn't defined will pass ALL traffic).

Also the tests I am using from the 10 network to the 192 network and from the 10 network to the internet are as follows:

1.  FTP - ftpzilla - source ip:  10.100.45.32 dest. ip:  192.168.1.5

                          source ip:  10.100.45.32 dest. ip:   ftp.windstream.net

2.  iStation test software - source ip 10.100.45.32 dest. ip / port:  app2.istation.com / 12500

pompeychimes Wed, 12/23/2009 - 07:57

Take all IP access-groups statment's of each interface and try the FTP again. If it still doesn't work source an FTP from the Router interface closest to the FTP Server.

telnet x.x.x.x 21 /source-interface interface

James

k.moser Tue, 01/05/2010 - 07:44

Removed ACLs from all interfaces,here are the results:

-  FTP From 10 network to 192 network - works

-  FTP from 10 network to ftp site on internet - does not work

- FTP from router (using 10 as source) to ftp site on 192 - does not work

- FTP from router (using 192 as source) to ftp site on 192 - works

- FTP from router (using 10 as source) to ftp site on internet - does not work

- FTP from router (using 192 as source) to ftp site on internet - does not work

Actions

This Discussion