[c-nsp] Dropped packets to a specific subnet(Not physical)
Kim Onnel
karim.adel at gmail.com
Thu Feb 23 11:09:07 EST 2006
Hi,
In our Datacenter, there is a couple of servers in the subnet 172.31.10.0,
alot of packets to this subnet are dropped, i attached a network diagram,
configurations of the devices in the diagram and ping snapshots and routing
information, all other servers in different subnets reply normally.
Pinging the Firewall outside interface
WAN_ROUTER#ping
Protocol [ip]:
Target IP address: xx.xx.110.252
Repeat count [5]: 100
Datagram size [100]: 1500
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 1500-byte ICMP Echos to xx.xx.110.252, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/4 ms
WAN_ROUTER#
Pinging DNS server
WAN_ROUTER#ping
Protocol [ip]:
Target IP address: xx.xx.110.197
Repeat count [5]: 100
Datagram size [100]: 1500
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 1500-byte ICMP Echos to xx.xx.110.197, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/4 ms
WAN_ROUTER#
WAN_ROUTER#ping
Protocol [ip]:
Target IP address: 172.31.10.25
Repeat count [5]: 10
Datagram size [100]: 1500
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 1500-byte ICMP Echos to 172.31.10.25, timeout is 2 seconds:
!.!!!!!.!.
Success rate is 70 percent (7/10), round-trip min/avg/max = 1/2/4 ms
SSH_SERVER:~# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:01:52.521633 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 0, length 1480
16:01:52.536081 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 0, length 1480
16:01:54.522317 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 2, length 1480
16:01:54.522422 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 2, length 1480
16:01:54.524919 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 3, length 1480
16:01:54.525017 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 3, length 1480
16:01:54.527720 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 4, length 1480
16:01:54.527819 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 4, length 1480
16:01:54.530296 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 5, length 1480
16:01:54.530387 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 5, length 1480
16:01:54.533734 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 6, length 1480
16:01:54.533832 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 6, length 1480
16:01:54.536519 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 7, length 1480
16:01:56.534605 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 8, length 1480
16:01:56.534710 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 8, length 1480
16:01:56.537562 IP 172.31.10.49 > 172.31.10.25: ICMP echo request, id 26363,
seq 9, length 1480
16:01:56.537658 IP 172.31.10.25 > 172.31.10.49: ICMP echo reply, id 26363,
seq 9, length 1480
WAN_ROUTER#sh ip route 172.31.10.25
Routing entry for 172.31.10.0/27
Known via "static", distance 1, metric 0
Redistributing via ospf 99, ospf 101, bgp 65000
Advertised by ospf 101 subnets
bgp 65000
Routing Descriptor Blocks:
* 172.31.10.50
Route metric is 0, traffic share count is 1
WAN_ROUTER#sh run | i ip route 172.31.10
ip route 172.31.10.0 255.255.255.224 172.31.10.50
ip route 172.31.10.29 255.255.255.255 172.31.15.130
ip route 172.31.10.32 255.255.255.240 172.31.10.50
WAN_ROUTER#
WAN_ROUTER#sh ip route | i 172.31.10.
C 172.31.10.48/30 is directly connected, FastEthernet2/1.1
S 172.31.10.32/28 [1/0] via 172.31.10.50
S 172.31.10.29/32 [1/0] via 172.31.15.130
S 172.31.10.0/27 [1/0] via 172.31.10.50
WAN_ROUTER#sh ip route 172.31.10.50
Routing entry for 172.31.10.48/30
Known via "connected", distance 0, metric 0 (connected, via interface)
Redistributing via bgp 65000
Advertised by bgp 65000
Routing Descriptor Blocks:
* directly connected, via FastEthernet2/1.1
Route metric is 0, traffic share count is 1
WAN_ROUTER#sh run int FastEthernet2/1
Building configuration...
Current configuration : 248 bytes
!
interface FastEthernet2/1
description *** LINK TO LAN ROUTER ***
no ip address
ip access-group block-worms in
ip access-group block-worms out
ip route-cache flow
load-interval 30
duplex full
no cdp enable
end
WAN_ROUTER#
WAN_ROUTER#sh run int FastEthernet2/1.1
!
interface FastEthernet2/1.1
description *** Connection with LAN ROUTER ***
encapsulation isl 10
ip address 172.31.10.49 255.255.255.252
ip access-group block-worms in
ip access-group block-worms out
no ip redirects
ip ospf hello-interval 5
ip ospf dead-interval 15
no cdp enable
end
Moving to LAN_ROUTER:
Pinging the SSH server again:
LAN_ROUTER#ping
Protocol [ip]:
Target IP address: 172.31.10.25
Repeat count [5]: 10
Datagram size [100]: 1500
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 10, 1500-byte ICMP Echos to 172.31.10.25, timeout is 2 seconds:
!!!!!.!!.!
Success rate is 80 percent (8/10), round-trip min/avg/max = 1/2/4 ms
LAN_ROUTER#
zazu:~# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:10:16.681544 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5359,
seq 2409, length 1480
16:10:16.695414 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5359,
seq 2409, length 1480
16:10:16.683176 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5360,
seq 2409, length 1480
16:10:16.683277 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5360,
seq 2409, length 1480
16:10:16.684854 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5361,
seq 2409, length 1480
16:10:16.684985 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5361,
seq 2409, length 1480
16:10:16.686815 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5362,
seq 2409, length 1480
16:10:16.686931 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5362,
seq 2409, length 1480
16:10:16.688918 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5363,
seq 2409, length 1480
16:10:16.689004 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5363,
seq 2409, length 1480
16:10:16.690580 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5364,
seq 2409, length 1480
16:10:18.689945 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5365,
seq 2409, length 1480
16:10:18.690052 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5365,
seq 2409, length 1480
16:10:18.691900 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5366,
seq 2409, length 1480
16:10:18.691999 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5366,
seq 2409, length 1480
16:10:18.693729 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5367,
seq 2409, length 1480
16:10:20.693596 IP xx.xx.110.251 > 172.31.10.25: ICMP echo request, id 5368,
seq 2409, length 1480
16:10:20.693704 IP 172.31.10.25 > xx.xx.110.251: ICMP echo reply, id 5368,
seq 2409, length 1480
LAN_ROUTER#sh ip route 172.31.10.25
Routing entry for 172.31.10.0/27
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* xx.xx.110.252
Route metric is 0, traffic share count is 1
LAN_ROUTER#sh ip route xx.xx.110.252
Routing entry for xx.xx.110.192/26
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via FastEthernet1/1
Route metric is 0, traffic share count is 1
LAN_ROUTER#sh ip route | i 172.31.10.
Gateway of last resort is 172.31.10.49 to network 0.0.0.0
C 172.31.10.48/30 is directly connected, FastEthernet2/1.1
S 172.31.10.29/32 is directly connected, FastEthernet2/1.1
S 172.31.10.0/27 [1/0] via xx.xx.110.252
S* 0.0.0.0/0 [1/0] via 172.31.10.49
LAN_ROUTER#
LAN_ROUTER#sh run int FastEthernet1/1
interface FastEthernet1/1
.....Alot of secondary IPs omitted....
ip address xx.xx.110.3 255.255.255.192 secondary
ip address xx.xx.110.251 255.255.255.192
ip access-group block-worms in
ip access-group block-worms out
ip nat inside
rate-limit input access-group rate-limit 100 2048000 5000 5000
conform-action transmit exceed-action transmit
rate-limit output access-group rate-limit 100 2048000 5000 5000
conform-action transmit exceed-action transmit
load-interval 30
full-duplex
no cdp enable
end
LAN_ROUTER#sh access-lists rate-limit 100
Rate-limit access list 100
00B0.D064.8774
LAN_ROUTER#sh arp | i .252
Internet xx.xx.110.252 0 00d0.b782.3aa3 ARPA FastEthernet1/1
LAN_ROUTER#sh arp | i 172.31.10.25
LAN_ROUTER#sh arp | i 172.31.10.
Internet 172.31.10.49 160 0007.ec79.5a90 ARPA
FastEthernet2/1.1
Internet 172.31.10.50 - 0007.ec79.5ade ARPA
FastEthernet2/1.1
Internet 172.31.10.29 160 0007.ec79.5a90 ARPA
FastEthernet2/1.1
LAN_ROUTER#
LAN_ROUTER#sh ip access-lists block-worms
Extended IP access list block-worms
deny tcp any any eq 5554 (21672 matches)
deny tcp any any range 135 139 (141805760 matches)
deny udp any any range 135 netbios-ss (247404899 matches)
deny tcp any any eq 445 (7593990 matches)
deny udp any any eq 1026 (196450466 matches)
Moving to PIX:
: Saved
: Written by enable_15 at 11:03:17.364 UTC Tue Feb 14 2006
PIX Version 6.3(1)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 100basetx
interface ethernet3 100basetx
interface ethernet4 100basetx
interface ethernet5 auto shutdown
interface gb-ethernet0 1000auto
interface gb-ethernet1 1000auto
nameif ethernet0 collocated security50
nameif ethernet1 NOC security60
nameif ethernet2 dmz2 security40
nameif ethernet3 DMZ3 security55
nameif ethernet5 intf5 security10
nameif gb-ethernet0 inside security100
nameif gb-ethernet1 outside security0
hostname PIX-OUTSIDE
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol ftp 2009
fixup protocol ftp 2100
fixup protocol ftp 2200
fixup protocol ftp 2201
fixup protocol ftp 2202
fixup protocol ftp 2203
fixup protocol ftp 5000
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list external permit tcp any host 172.31.10.25 eq ssh
access-list external permit udp any host 172.31.10.25 eq 2055
access-list external permit udp any host 172.31.10.25 eq syslog
mtu collocated 1500
mtu NOC 1500
mtu dmz2 1500
mtu DMZ3 1500
mtu intf5 1500
mtu inside 1500
mtu outside 1500
ip address NOC 172.31.10.1 255.255.255.224
ip address dmz2 10.0.9.1 255.255.255.0
ip address DMZ3 10.0.11.1 255.255.255.0
no ip address intf5
ip address outside xx.xx.110.252 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool1 192.168.1.25-192.168.1.28
pdm history enable
arp timeout 14400
nat (netcentrex) 0 access-list 110
static (NOC,outside) 172.31.10.0 172.31.10.0 netmask 255.255.255.224 0 0
access-group dmz2 in interface dmz2
access-group dmz3 in interface DMZ3
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.110.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 4
terminal width 80
More information about the cisco-nsp
mailing list