FINAL SUMMARY: technical routing question on Solaris 10

Hey all.

Thanks again for all the help.

I wanted to send a final summary, now that we've actually solved the problem.

If you recall, we have a network with 4 VLANs (web, app, mgt and nas). We have machines on the app layer that need to get out to the Internet for a specific function. We set up a static route for each Internet host going through a firewall doing reverse NAT on our end.

Once we got through the CKI issues of copy-and-pasting the wrong server's IPs and traceroutes (sorry 'bout that), we finally solved the problem.

First, the helpful advice to use snoop -V port 80 instead of tcpdump helped, in that I saw the traffic leaving. When I used snoop -v to show me layer 2 information, the destination MAC was the firewall/gateway in question, so the packets were happily leaving my machine after all and arriving at the firewall.

It turns out that the firewall was dropping packets. The problem was that the Cisco FWSM (firewall service module) has the ability to do contexts, similar to Solaris 10 containers or virtual servers. We had a context configured in preparation for having a DS3 link from our office to our data center for management. Our network guy set up an *additional* context for the new reverse-NAT out to the Internet connection, *also on the mgt VLAN*.

When packets came in to the firewall/gateway on the mgt vlan, therefore, the FWSM didn't know which context should apply, and like a good little security device, dropped the packets rather than mistakenly allow something bad through. This is documented, albeit rather confusingly, in the FWSM documentation.

By disabling the DS3 context, and eventually reconfiguring both contexts into one, the network guy solved the problem of allowing the packets out, and we can now get to where we need to go.

Take care,
-Adam
_______________________________________________
sunmanagers mailing list
sunmanagers@xxxxxxxxxxxxxxx
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)
    ... namely that these NDIS User Mode IO driver requests come ... Then your firewall is working - don't worry about it. ... and is never used to actually send/receive data packets. ... OrgName: RIPE Network Coordination Centre ...
    (comp.security.firewalls)
  • Re: strange network traffic
    ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
    (Security-Basics)
  • Re: Network scanning: Continued (newbie)
    ... ARP requests are handled a layer under IP. ... > egress packets impossible on layer 1. ... > should be pretty silent if put that firewall ruleset on it. ... > The recent conversation titled network scanning inspired me to ask the ...
    (Security-Basics)
  • Re: 8Signs PC Firewall Problem
    ... > First a little understanding of my network setup... ... > If I turn 8 Signs PC Firewall Off, ... > the packets in realtime. ... > I was wondering if it's buffer problem, as in the buffer on the lan ...
    (comp.security.firewalls)