I have set up a couple of captures on an FWSM running 3.2(4) to look for packets from host a to host b and the return traffic but I'm not seeing all the packets in one of the captures.
It a simple case of traffic coming in on the outside interface, traversing the firewall through the inside interface and obviously return traffic following the reciprocal path.
Looking at the captures I can see the 3way handshake setting up on both captures but then the data traffic only appears in the outside capture. I'm positive the traffic is OK as I can also see the tcp ack's from the inside host back to the outside host (in the outside capture only). If the tcp 'stream' wasn't working I would not expect to see these acks.
Is this the nature of the FWSM and captures or would you expect to see all traffic in both captures?
Any help information would be appreciated.
Capture and acl set up:
firewall# sh access-list test access-list test; 2 elements access-list test line 1 extended permit tcp host 82.xx.xx.77 host 62.xx.xx.12 (hitcnt=190) 0x65b723b5 access-list test line 2 extended permit tcp host 62.xx.xx.12 host 82.xx.xx.77 (hitcnt=73) 0xdb1c5f30
firewall# sh access-list test2 access-list test2; 2 elements access-list test2 line 1 extended permit tcp host 82.xx.xx.77 host 62.xx.xx.12 (hitcnt=18) 0x2ac230c2 access-list test2 line 2 extended permit tcp host 62.xx.xx.12 host 82.xx.xx.77 (hitcnt=12) 0x545b5188
capture test1 type raw-data access-list test interface Outside capture test2 type raw-data access-list test2 interface Inside
We've resolved this issue.
The port being used for this was tcp 2000 and this is the default port used by application inspection for skinny protocol. Removed tcp 2000 from app inspection and now all good.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...