cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1615
Views
0
Helpful
5
Replies

Debug Router Traffic

k.moser
Level 1
Level 1

I am having a problem routing ip traffic with port numbers from one LAN to another.

I have two networks 192.168 and 10.100.  I can successfully connect to devices from the 192 network to the 10 network and from the 10 network to the 192 network.  I am also able to access the internet via a proxy sitting on the 192 network from the 10 network.

My problem is that when I try to connect to an IP using s specific port number (for example FTP).  I am unable to connect from the 10 network to an ftp server on the 192 network.  I am also unable to connect from the 10 network to an FTP server on the internet.

To complicate matters I am unble to determine the route the ftp traffic is going (from the 1 network).  I have plaed wireshark on the 10 network and the 192 network and see the packets leaving the workstatiion but not being ACKnowledged.  I also do not see the traffic being received on the 192 network.

I have run several debug commands on the router (for IP packets, access-lists, NAT etc) but do not see this traffic on the router.  I enabled IP accounting and still do not see the (FTP) traffic).

I included the config for your review.

Can anyone tell me what other commands (debug or other) I can use on the router to 'find' this traffic so I can determine where it is going soI can resolve the issue?

Thanks,

Kerry

5 Replies 5

ohassairi
Level 5
Level 5

in your config you r defining acl 127 and 128 under g0/1/0 but these acl r not defined! r they missing or what?

interface GigabitEthernet0/1/0
Desc 2nd LAN
ip address 10.100.0.1 255.255.128.0
ip access-group 128 in
ip access-group 127 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip nat inside
negotiation auto

also we need what is the exact test you made: source ip ? destination ip? tool to make the test (telnet, software,...)

As an additional test and to make sure an ACL wasn't stopping traffic I created these two ACLs but did not define them.  I did this to pass all traffic.

(creating an ACL that isn't defined will pass ALL traffic).

Also the tests I am using from the 10 network to the 192 network and from the 10 network to the internet are as follows:

1.  FTP - ftpzilla - source ip:  10.100.45.32 dest. ip:  192.168.1.5

                          source ip:  10.100.45.32 dest. ip:   ftp.windstream.net

2.  iStation test software - source ip 10.100.45.32 dest. ip / port:  app2.istation.com / 12500

Take all IP access-groups statment's of each interface and try the FTP again. If it still doesn't work source an FTP from the Router interface closest to the FTP Server.

telnet x.x.x.x 21 /source-interface interface

James

Removed ACLs from all interfaces,here are the results:

-  FTP From 10 network to 192 network - works

-  FTP from 10 network to ftp site on internet - does not work

- FTP from router (using 10 as source) to ftp site on 192 - does not work

- FTP from router (using 192 as source) to ftp site on 192 - works

- FTP from router (using 10 as source) to ftp site on internet - does not work

- FTP from router (using 192 as source) to ftp site on internet - does not work

Add the 10 network to ACL 10.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco