Re: View Traffic

r-livermore · ‎03-23-2007

Cisco 2620

LAN <-> ASA <-> 2620 <-> Internet

All internal clients are able to connect to the Internet (including icmp) but one. From the failed client I tried pinging to an outside source; the ASA shows traffic leaving the network but the ping fails. So, I ran a traceroute from the client and the route dies at the external interface of the 2620. The 2620 is basically wide open. Any ideas on why or how I can view traffic from the client when it touches the 2620?

Thanks!

silrodri05 · ‎03-23-2007

Rob,

One easy way to see this traffic is using ip account on the 2620, you can apply the ip account on inside interface of 2620 and see the traffic flow. To apply "ip account":

1 - conf t

2 - int f0/0 (ex.)

3 - ip accounting output-packets

4 - end

To see the traffic use "sh ip account". You can use others way to see this traffic, like debugs, SPAN and so on.

Best Regards,

Rodrigo

r-livermore · ‎03-23-2007

Rodrigo,

Thanks for the tip. I'll give it a whirl.

Jon Marshall · ‎03-23-2007

Rob

Could you send the routing tables of the 2620 and the ASA and the source IP address of the client that is failing.

Jon

r-livermore · ‎03-23-2007

***** 2620 *****

Gateway of last resort is 64.1.3.121 to network 0.0.0.0

64.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

C 64.1.16.64/27 is directly connected, Ethernet0/0

C 64.1.3.120/30 is directly connected, Serial0/0

S 64.1.16.0/24 [1/0] via 192.168.1.1

C 192.168.1.0/24 is directly connected, Ethernet0/0

S* 0.0.0.0/0 [1/0] via 64.1.3.121

***** ASA *****

S 0.0.0.0 0.0.0.0 [1/0] via 64.1.16.65, outside

C 64.1.16.64 255.255.255.224 is directly connected, outside

C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 172.16.1.0 255.255.255.0 is directly connected, dmz

C 192.168.1.0 255.255.255.0 is directly connected, inside

C 192.168.11.0 255.255.255.0 is directly connected, mitel

C 192.168.12.0 255.255.255.0 is directly connected, inter-tel

C 192.168.13.0 255.255.255.0 is directly connected, toshiba

C 192.168.14.0 255.255.255.0 is directly connected, shoretel

***** Client *****

192.168.1.19/24

Gateway 192.168.1.0

silrodri05 · ‎03-23-2007

Rob,

The client gateway is wrong.. 192.168.1.0 is the network address to net 192.168.1.0/24, fix this address and try again.

Best Regards.

r-livermore · ‎03-23-2007

Ooops, typo, shoulda been 192.168.1.1.

Jon Marshall · ‎03-23-2007

Rob

I'm a little confused.

Your ASA device shows the 192.168.1.x network being on the inside interface.

Your 2620 is saying that the 192.168.1.x network is directly connected on ethernet0.

Might be just having a bad moment but could you explain as your diagram in your original post seems to suggest this is not possible.

Are the other clients that work also out of the 192.168.1.x network ?

Jon

r-livermore · ‎03-26-2007

Jon,

Maybe this will help clarify? "ip route" - which was asked for in an earilier post does not clearly display the interface configuration.

Yes the clients that work reside in the same subnet - 192.168.1.0/24.

2620

e0 64.1.16.65 - outside

s0 64.1.3.121

gw 64.1.3.122

ASA

e0 64.1.16.66 - outside

e1 192.168.1.1 - inside

gw 64.1.16.65

clients

192.168.1.0/24

gw 192.168.1.1

johaninplumaslake · ‎03-23-2007

Wrong post - sorry.

Johan

nyr.hakeem-habeeb · ‎03-23-2007

Hi

to view packets from your clients touching the 2620 you could run the ffg on the 2620;

r1#term mon

r1#debug ip packet

****** sample output *******

Mar 24 02:54:20.649: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 40, forward

Mar 24 02:54:20.677: IP: tableid=0, s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:20.677: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 260, forward

Mar 24 02:54:20.677: IP: tableid=0, s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:20.677: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 40, forward

Mar 24 02:54:20.693: IP: s=86.133.111.30 (Vlan100), d=198.133.219.25 (Dialer0), g=198.133.219.25, len 40, forward

Mar 24 02:54:20.873: IP: tableid=0, s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:20.873: IP: s=198.133.219.25 (Dialer0), d=192.168.2.2 (Vlan100), g=192.168.1.1, len 40, forward

Mar 24 02:54:21.389: IP: tableid=0, s=192.168.1.4 (local), d=192.168.2.2 (Vlan100), routed via RIB

Mar 24 02:54:21.513: IP: s=192.168.1.3 (Vlan100), d=224.0.0.5, len 84, rcvd 0

*********************************************

to switch off you could "u al", you could also create an access-list to match only traffic your interested, e.g "debug ip packet 100"

Thanks

r-livermore · ‎03-26-2007

I've never tried using ffg but I'll give it a whirl, thanks for the tip!

r-livermore · ‎03-27-2007

Can someone please clarify defining an access-list?

Is it as simple as:

r1#access-list 100 permit ip any host 192.168.1.19

Then:

r1#ip access-group 100 out

or am I oversimplifying?

OQ · ‎07-16-2007

Good afternoon :

I am in a similar situation as far analyzing the traffic hitting my 2621 as well its response to it.

What does the "routed via RIB" means at the end of the log transaction. Is there any difference between the "forward" and the " routed via RIB".