Wednesday, August 19, 2015

Packet Capture: Man's Best Friend In The IT World

I recently had a customer email me about a server that couldnt be accessed from the public network (the Internet).  So I got in remotely to take a look at the firewall.  In this case, it was a Cisco ASA.  The customer is pretty sure that the firewall is the issue.  The only thing that will prove it is a packet capture.  Even then, Im not sure it will prove it to them.  But it will to me.  So first, I look if packets are hitting the outside interface.  Im coming from 50.48.98.210 to 38.67.56.3 on port 80.
ASA# sh capture capin

5 packets captured

   1: 13:33:23.722023 50.48.98.210.35106 > 38.67.56.3.80: S 1746501894:1746501894(0) win 65535 <mss 1460,sackOK,timestamp 9024126 0,nop,wscale 6>
   2: 13:33:23.723763 50.48.98.210.35107 > 38.67.56.3.80: S 370354649:370354649(0) win 65535 <mss 1460,sackOK,timestamp 9024126 0,nop,wscale 6>
   3: 13:33:23.951794 50.48.98.210.35109 > 38.67.56.3.80: S 426922397:426922397(0) win 65535 <mss 1460,sackOK,timestamp 9024149 0,nop,wscale 6>
   4: 13:33:24.562043 50.48.98.210.35113 > 38.67.56.3.80: S 1385524340:1385524340(0) win 65535 <mss 1460,sackOK,timestamp 9024210 0,nop,wscale 6>
   5: 13:33:29.637296 50.48.98.210.35114 > 38.67.56.3.80: S 3644565852:3644565852(0) win 65535 <mss 1460,sackOK,timestamp 9024717 0,nop,wscale 6>
5 packets shown

So packets are definitely making it to the ASA.  Are they making it through it?  Lets see.
ASA# sh capture capin

4 packets captured

   1: 14:05:53.245623 50.48.98.210.35120 > 192.168.70.10.80: S 528608121:528608121(0) win 65535 <mss 1380,sackOK,timestamp 9219068 0,nop,wscale 6>
   2: 14:05:53.245882 50.48.98.210.35119 > 192.168.70.10.80: S 236186416:236186416(0) win 65535 <mss 1380,sackOK,timestamp 9219068 0,nop,wscale 6>
   3: 14:05:53.736076 50.48.98.210.35122 > 192.168.70.10.80: S 104826225:104826225(0) win 65535 <mss 1380,sackOK,timestamp 9219119 0,nop,wscale 6>
   4: 14:05:58.860688 50.48.98.210.35123 > 192.168.70.10.80: S 4140132663:4140132663(0) win 65535 <mss 1380,sackOK,timestamp 9219630 0,nop,wscale 6>
4 packets shown
ASA#

Yes, looks good.  They do make it through the firewall and to the internal interface, which is where I took this capture.
What about pinging the internal server from the firewall?
ASA# ping 192.168.70.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.70.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA#

Not looking good at this point.  I checked the config and compared it to the last known good one.  No differences. Its definitely not the firewall.

Posted by

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)