5 Replies Latest reply on Jul 18, 2012 8:18 AM by andrew-jive

    wireshark .pcap - capture before or after firewall

    andrew-jive New Member

      When doing a packet capture on an adtran, as referenced here:

      https://supportforums.adtran.com/thread/1442


      When is the packet captured for inbound WAN traffic? Before or after the firewall?


      What I want to find out is if the firewall is dropping the packet or not. If the capture happens after the firewall, the test would not be a valid test, however, if it is before the Adtran takes and firewall or NAT actions, then I should have a good test.


      Thanks!

        • Re: wireshark .pcap - capture before or after firewall
          Employee

          @andrew-jive - Thanks for posting your question on the forum!

           

          To answer your question, the packet capture will show the packet before the firewall takes any action on it. For example, if you were attempting to get a packet capture of pings hitting the NetVanta WAN IP, and pings were being blocked on the firewall, you would still see the packet hit the router and in your debug before the firewall dropped it.

           

          If the unit is running a firewall, you will probably see every packet twice (once entering the firewall & once leaving, depending on the ACL you are using); the second may be after a NAT process if NAT is enabled. Furthermore, if the traffic is across a VPN, the second packet will not be seen since it enters/leaves the router encapsulated in VPN.


          Let us know if you have any further questions.


          Thanks,

          Noor

            • Re: wireshark .pcap - capture before or after firewall
              andrew-jive New Member

              Noor,

               

              Thanks, for some reason when I capture, I'm not seeing the double you speak of for any of the inbound traffic. I do however, see double (before and after NAT) for the outbound traffic.

               

              All I have setup is the following:

               

              ip access-list extended TEST

              permit udp any any range 5060 5061

              !

              then I run:

              debug ip packet TEST dump

                • Re: wireshark .pcap - capture before or after firewall
                  Employee

                  @andrew-jive - Could you post your access-policies, ACLs referenced in the access-policies, and which interfaces they are assigned to? Please remember to remove any information that may be sensitive to your network.

                   

                  Thanks,

                  Noor

                    • Re: wireshark .pcap - capture before or after firewall
                      andrew-jive New Member

                      !

                      !

                      interface eth 0/1

                        ip address  192.168.103.1  255.255.255.0

                        ip address  3.3.3.3  255.255.255.248  secondary

                        access-policy Private

                        media-gateway ip primary

                        no shutdown

                      !

                      !

                      interface t1 0/1

                        tdm-group 1 timeslots 1-24 speed 64

                        no shutdown

                      !

                      !

                      interface ppp 1

                        description ppp 1

                        ip address  1.1.1.2  255.255.255.252

                        access-policy Public

                        media-gateway ip primary

                        qos-policy out ppp1QosWizard

                        no shutdown

                        cross-connect 1 t1 0/1 1 ppp 1

                      !

                      !

                      !

                      ip access-list standard jiveAllow

                        remark Allow list jiveAllow

                        permit 4.4.4.4 0.0.3.255

                        permit 4.4.4.4 0.0.3.255

                      !

                      ip access-list standard srcLAN

                        permit 3.3.3.3 0.0.0.7

                      !

                      ip access-list standard voiceLAN

                        permit 192.168.103.0 0.0.0.255

                      !

                      ip access-list standard wizard-ics

                        remark NAT list wizard-ics

                        permit any

                      !

                      !

                      ip access-list extended adminAccess

                        permit tcp any  host 1.1.1.2 eq ssh

                        permit tcp any  host 1.1.1.2 eq https

                        permit icmp any  host 1.1.1.2

                      !

                      ip access-list extended lanblock

                        permit ip any  any

                      !

                      ip access-list extended self

                        remark Traffic to Total Access

                        permit ip any  any     log

                      !

                      ip access-list extended test

                        permit udp any  any range 5060 5061

                      !

                      ip access-list extended web-acl-8

                        permit ip any  any

                      !

                      !

                      ip policy-class Private

                        allow list self self

                        nat source list voiceLAN interface ppp 1 overload

                        allow list srcLAN

                      !

                      ip policy-class Public

                        allow list jiveAllow

                        allow list adminAccess self

                        allow list lanblock

                      !

                      !

                      • Re: wireshark .pcap - capture before or after firewall
                        andrew-jive New Member

                        Noor,

                         

                        To update, I am seeing seeing some of the traffic before and after on the Inbound stream, but turns out it's only some of it. In particular, I'm looking at the NAT keep alives which are SIP OPTIONs. I've got a ticket in with support. I'd like to keep this tread going but I'm not comfortable posting the packet capture which is what will make the rest of this tread interesting

                         

                        But in summary, I see all of the SIP options on the outside of the firewall, the second packet you would see is after the adtran NATs. I have several phones behind the Adtran, but I only see both packets before and after when the outside port is 5060. The rest of the session negotiate and off port, for all of these off port session, you only see the packet outside of the firewall and the packet never gets NAT'd in for some reason it appears.