[c-nsp] Telnet FROM a PIX Appliance?
Sam Stickland
sam_mailinglists at spacething.org
Mon Jun 30 12:47:03 EDT 2008
Higham, Josh wrote:
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
>>
>> I guess it's more as a "working right" educational purpose,
>> so you won't use your firewall as a debugging client.
>> In newer versions there's the packet tracker that can help
>> you debug connectivity problems.
>> Ziv
>>
>
> As an FYI, the ASA/Pix packet capture cannot currently be completely
> trusted (version 8.0). I found an annoying bug where I would capture
> the frame on a span session monitoring the port connected to the
> firewall, but it wouldn't show up on the firewall capture.
>
> The packet in question was also being dropped by the firewall, but with
> no logging (and with a permit ip any any rule in place). The 'fix' was
> to apply a nat translation and then remove it. TAC was completely
> unhelpful (worst ever TAC experience)
Does the firewall have "no nat-control" configured on it? And did you
have a look at "sh xlate detail"?
Perhaps it's possible a spoofed (or unexpected routed) packet arrived on
another interface and the firewall automatically created an identity NAT
translation binding this IP address to this ingress interface, instead
of the correct one. (Remember, even with "no nat-control" the firewall
still maintains a translation table, and this will be checked before the
routing table). "ip verify unicast reverse-path" helps prevent this.
Sam
More information about the cisco-nsp
mailing list