CCNP BCMSN Exam Certification Guide (3rd Edition)

10-2. Watching Data Pass Through a Firewall

Sometimes you might want to know what sort of traffic has passed through a firewall to reach a certain host. At other times, you might need to troubleshoot why traffic is not being forwarded through the firewall. In this case, you would want to verify that packets arrived on one firewall interface but did not go out another interface.

You can use two methods to watch or verify that packets have passed through a firewall:

  • Capture session Packets passing through an interface and matching given conditions are captured in a buffer and can be displayed later.

  • Debug packet Packets matching conditions defined in a debug command are reported as they pass through the firewall.

NOTE

Beginning with PIX 7.x, the debug packet method is no longer supported.

These methods require different configuration steps, and each affects the firewall resources in different ways. Table 10-11 compares the capture and debug packet methods.

Table 10-11. Verifying That Packets Have Passed Through a Firewall: Capture Session Versus Debug Packet

Capture Session

Debug Packet

Packets (or portions of packets) are captured and stored in a memory buffer.

Packets are reported but not captured. Reports are sent to the active debug trace channel (Telnet, SSH, or console).

Captured packets are displayed later.

Packet reports are displayed in real time.

Packets are identified for capture by an interface, an EtherType, or an access list.

Packets are identified for debugging by parameters in the debug packet command.

Many capture sessions can be configured and enabled.

Only one debug packet session can be configured at a time.

A capture session is bound to a firewall interface. Only packets passing through that interface can be captured.

A debug packet session reports on matching packets as they are inspected and moved through a firewall interface.

Capture sessions don't adversely affect firewall CPU resources.

A debug packet session can be very taxing on the firewall CPU and packet throughput.

By default, each capture session uses a 512-KB buffer in the firewall memory.

A debug packet session doesn't require a block of firewall memory.

Using Capture

You can define one or more capture sessions on a firewall, each operating independently. Captured packets are stored in a memory buffer and can be viewed much like a protocol analyzer or sniffer trace.

Defining a Capture Session

Two basic steps are involved in defining a capture session:

1.

Configure an access list to identify the interesting traffic for capture.

2.

Define the actual capture session.

You can configure the access list by entering one or more access control entry (ACE) statements with the following configuration command:

Firewall(config)# access-list acl_id [line line-num] [extended] permit protocol {source_addr source_mask [operator sport] [destination_addr destination_mask [operator dport]]

Here, only the permit keyword is necessary, because permitted traffic is really only flagged for capture. An implicit deny statement is at the end of the access list, which causes all other traffic to pass without being captured.

The matched protocol can be ip (any IP protocol), tcp (6), udp (17), ah (51), eigrp (88), esp (50), gre (47), igmp (2), igrp (9), ipinip (4), nos (94), ospf (89), pcp (108), snp (109), icmp (1), or a number from 1 to 255.

Source and destination addresses can be explicit IP addresses or subnets, and the masks are regular subnet masks. If you need to specify addresses, be sure the addresses are relevant with respect to NAT. A capture session can monitor inbound traffic on an interface before NAT is performed, and it can monitor outbound traffic after NAT is performed. If you need to match against a source or destination port number, you can add an optional operator: lt (less than), gt (greater than), eq (equal to), neq (not equal to), or range (lies between two port limits). The operator compares the port number to the value given by port (a single decimal number; for a range, give two numbers for lower and upper limits).

TIP

You might find it handy to include something like cap in the access list name, as in acl_cap_testprobe. This way, you can guess that the ACL has a special purpose just by looking at its name.

To define and start a capture session on a firewall interface, you can use the following privileged EXEC command:

Firewall# capture capture_name [access-list acl_name] [ethernet-type type] [interface if-name] [buffer bytes] [circular-buffer] [packet-length bytes]

The capture session is named capture_name (an arbitrary text string). The access list named acl_name is used to identify packets to be captured. If an access list is not used or defined, all IP packets are matched. However, you should use an access list to specifically match trafficespecially on a busy firewall.

You can define the protocol to capture in the access list. You can also specify an Ethernet type code in the capture command instead if you need to capture a protocol that the ACL doesn't support. By default, all Ethernet types are flagged for capture. You can specify one as type using one of these values: arp (ARP requests and replies), ip (TCP/IP), pppoe (PPP over Ethernet), pppoed (PPP over Ethernet Discovery), ip6 (IP version 6), ipx (Novell IPX), or rarp (Reverse ARP).

You should specify which interface the capture session will monitor with the interface keyword and the interface if-name (defined with the nameif command).

You can also make adjustments to the capture buffer. By default, the capture session buffer is 512 KB in the main firewall memory. With the buffer keyword, the buffer can be resized to bytes. By default, the capture session stops when the buffer is full. However, you can use the circular-buffer keyword to allow the capture to work continuously; when the buffer fills, the capture stores the next packet at the beginning of the buffer.

By default, up to 68 bytes of each captured packet are stored in the buffer. You can change this limit with the packet-length keyword to bytes (up to the MTU or maximum packet size). The default value gives enough information to include the IP and upper-layer protocol headers. Be aware that if you increase the packet length, you can view the contents of captured packets, including any cleartext user IDs, passwords, or other confidential information.

Beginning with PIX 7.x, you can add the type keyword to specify a type of data to capture. The following command syntax is used:

Firewall# capture capture_name type {raw-data | isakmp | asp-drop drop-reason} [buffer bytes] [circular-buffer] [packet-length bytes]

The raw-data type is used in capture sessions by default, even when the type keyword is unavailable. In other words, raw IP packets can be captured. You can also capture certain VPN traffic by specifying type isakmp.

Another novel feature involves capturing packets that are dropped rather than forwarded through the firewall. This allows you to analyze the contents of dropped packets so that you can see exactly why the packet was dropped. No other capture filtering by access list or interface is necessary, because packets can be dropped for a wide variety of reasons.

You can use the type asp-drop keywords along with one of the drop-reason keywords listed in Table 10-12.

Table 10-12. drop-reason Keywords for the capture type asp-drop Command

drop-reason Keyword

Description

acl-drop

Flow is denied by the access rule

all

All packet drop reasons

bad-crypto

Bad crypto return in packet

bad-ipsec-natt

Bad IPSec NAT-T packet

bad-ipsec-prot

IPSec isn't AH or ESP

bad-ipsec-udp

Bad IPSec UDP packet

bad-tcp-cksum

Bad TCP checksum

bad-tcp-flags

Bad TCP flags

ctm-error

Crypto Transform Manager (CTM) returned an error

dns-guard-app-id-not-match

DNS Guard application ID didn't match

dns-guard-out-of-app-id

DNS Guard out of application ID

dst-l2_lookup-fail

Destination MAC L2 lookup failed

flow-expired

Expired flow

fo-standby

Dropped by the standby unit

ids-fail-close

IDS card is down

ids-request

IDS Module requested a drop

ifc-classify

Virtual firewall classification failed

inspect-dns-app-id-not-match

DNS Inspect application ID didn't match

inspect-dns-invalid-domain-label

DNS Inspect invalid domain label

inspect-dns-invalid-pak

DNS Inspect invalid packet

inspect-dns-out-of-app-id

DNS Inspect out of application ID

inspect-dns-pak-too-long

DNS Inspect packet was too long

inspect-icmp-app-id-not-match

ICMP Inspect application ID didn't match

inspect-icmp-error-no-existing-conn

ICMP Error Inspect had no existing connection

inspect-icmp-out-of-app-id

ICMP Inspect out of application ID

inspect-icmpv6-error-invalid-pak

ICMPv6 Error Inspect invalid packet

inspect-icmpv6-error-no-existing-conn

ICMPv6 Error Inspect had no existing connection

intercept-unexpected

Unexpected packet was intercepted

interface-down

Interface is down

invalid-app-length

Invalid application length

invalid-encap

Invalid encapsulation

invalid-ethertype

Invalid EtherType

invalid-ip-addr

Invalid IP address

invalid-ip-header

Invalid IP header

invalid-ip-length

Invalid IP length

invalid-ip-option

IP option configured drop

invalid-tcp

Invalid TCP packet

invalid-tcp-hdr-length

Invalid TCP length

invalid-udp-length

Invalid UDP length

ip-fragment

IP fragment unsupported

ipsec-clearpkt-notun

IPSec clear packet with no tunnel

ipsec-ipv6

IPSec via IPv6

ipsec-need-sa

IPSec SA not negotiated yet

ipsec-spoof

IPSec spoof detected

ipsec-tun-down

IPSec tunnel is down

ipsecudp-keepalive

IPSec/UDP keepalive message

ipv6_fp-security-failed

IPv6 fastpath security checks failed

ipv6_sp-security-failed

IPv6 slowpath security checks failed

l2_acl

Fast Path (FP) L2 rule drop

l2_same-lan-port

L2 source/destination same LAN port

large-buf-alloc-fail

Fast Path (FP) large buffer allocation failed

loopback-buffer-full

Loopback buffer is full

lu-invalid-pkt

Invalid failover logical update (LU) packet

natt-keepalive

NAT-T keepalive message

no-adjacency

No valid adjacency

no-mcast-entry

Fast Path (FP) has no multicast entry

no-mcast-intrf

Fast Path (FP) has no multicast output interface

no-punt-cb

No registered punt callback

no-route

No route to host

np-sp-invalid-spi

Invalid SPI

punt-rate-limit

Punt rate limit exceeded

queue-removed

Queued packet dropped

rate-exceeded

QoS rate exceeded

rpf-violated

Reverse-path verify failed

security-failed

Early security checks failed

send-ctm-error

Send to Crypto Transform Manager (CTM) returned an error

tcp-3whs-failed

TCP failed three-way handshake

tcp-ack-syn-diff

TCP ACK in SYNACK invalid

tcp-acked

TCP duplicate and has been ACKed

tcp-bad-option-len

Bad option length in TCP

tcp-bad-option-list

TCP option list invalid

tcp-bad-sack-allow

Bad TCP SACK ALLOW option

tcp-bad-winscale

Bad TCP window scale value

tcp-buffer-full

TCP packet buffer full

tcp-conn-limit

TCP connection limit reached

tcp-data-past-fin

TCP data send after FIN

tcp-discarded-ooo

TCP packet out of order

tcp-dual-open

TCP dual open denied

tcp-fo-drop

TCP replicated flow packet drop

tcp-invalid-ack

TCP invalid ACK

tcp-mss-exceeded

TCP MSS was too large

tcp-mss-no-syn

TCP MSS option on non-SYN

tcp-not-syn

First TCP packet not SYN

tcp-paws-fail

TCP packet failed Protect Against Wrapped Sequence numbers (PAWS) test

tcp-reserved-set

TCP reserved flags set

tcp-rst-syn-in-win

TCP RST/SYN in window

tcp-rstfin-ooo

TCP RST/FIN out of order

tcp-seq-past-win

TCP packet SEQ past window

tcp-seq-syn-diff

TCP SEQ in SYN/SYN-ACK invalid

tcp-syn-data

TCP SYN with data

tcp-syn-ooo

TCP SYN on established connection

tcp-synack-data

TCP SYN-ACK with data

tcp-synack-ooo

TCP SYN-ACK on established connection

tcp-tsopt-notallowed

TCP time stamp not allowed

tcp-winscale-no-syn

TCP window scale on non-SYN

unable-to-add-flow

Flow hash full

unable-to-create-flow

Out of flow cache memory

unimplemented

Slow path unimplemented

unsupport-ipv6-hdr

Unsupported IPv6 header

unsupported-ip-version

Unsupported IP version

As a simple example, the following capture session is created to capture all packets that have been dropped by an interface access list:

Firewall# capture ACLdroptest type asp-drop acl-drop

An inbound SMTP session is attempted from an outside host, which is blocked by an access list applied to the outside interface. First, the following Syslog messages were collected for the failed session:

Feb 08 2005 00:25:41 single_vf : %PIX-4-106023: Deny tcp src outside:172.21.4.48/3407 dst inside:172.16.1.5/25 by access-group "acl_outside" Feb 08 2005 00:25:44 single_vf : %PIX-4-106023: Deny tcp src outside:172.21.4.48/3407 dst inside: 172.16.1.5/25 by access-group "acl_outside" Feb 08 2005 00:25:50 single_vf : %PIX-4-106023: Deny tcp src outside:172.21.4.48/3407 dst inside: 172.16.1.5/25 by access-group "acl_outside"

The denied packets can be correlated to the following packets in the capture session:

Firewall# show capture test 3 packets captured 1: 00:25:41.114312 172.21.4.48.3407 > 172.16.1.5.25: S 3520305660:3520305660(0) win 65520 <mss 1260,nop,nop,sackOK> 2: 00:25:44.026197 172.21.4.48.3407 > 172.16.1.5.25: S 3520305660:3520305660(0) win 65520 <mss 1260,nop,nop,sackOK> 3: 00:25:50.122659 172.21.4.48.3407 > 172.16.1.5.25: S 3520305660:3520305660(0) win 65520 <mss 1260,nop,nop,sackOK> 3 packets shown Firewall#

TIP

You can repeat these steps to define several capture sessions. You can assign multiple capture sessions to the same interface. You also can reuse an ACL in multiple capture sessions if needed. Each capture session is independent and captures its own data in a separate capture buffer.

You can use multiple capture sessions to troubleshoot difficult problems in which the firewall is not forwarding traffic for some reason. Configure one capture session on one interface and a similar capture session on another interface. Use the same access list in both capture sessions. Then you can see traffic arriving on one interface but not appearing on the other.

Aside from the normal traffic inspection engines, access lists, and service policies that might be dropping the packets, consider other information contained in the capture buffer. Be sure to look for packet-related parameters such as the don't fragment (DF) bit or the TCP maximum segment size (MSS) that could be causing packets to be silently dropped.

Getting Results from a Capture Session

After you have defined a capture session, you need to monitor it for activity and retrieve the captured data. If you have defined several capture sessions, you might have trouble remembering which one is performing a certain function. You can list the current capture sessions with the following command:

Firewall# show capture

For example, the firewall used in the following show capture output has three capture sessions defined:

Firewall# show capture capture Aserver-out access-list interface outside capture Aserver-in access-list interface inside capture A-trunk interface outside

Notice that one session is bound to the inside interface, and two other separate sessions are active on the outside interface.

You can display the contents of a capture session buffer at any time, even if the capture is still active. To view the buffer contents from a console, Telnet, or SSH session, you can use the following command:

PIX 6.x

Firewall# show capture capture_name [access-list acl_name] [detail] [dump]

PIX 7.x FWSM 2.x

Firewall# show capture capture_name [access-list acl_name] {detail | dump | decode} [packet-number packet] [count count]

A summary of each packet saved in the capture buffer named capture_name is displayed, even though the capture session is still active. You can also configure another access list named acl_name ahead of time and use that ACL as a display filter. Only packets that are permitted by the display filter access list are displayed.

With PIX 7.x and FWSM 2.x platforms, you can use the decode keyword to display captured packets in an abbreviated form. This is the default display format. You can also display a subset of captured packets. You can use the packet-number keyword to specify packet number packet as the first to display. You can also use the count keyword to set the number of packets to display as count.

For example, you could use the following command to display packets 100 through 157 in the capture buffer:

Firewall# show capture test packet-number 100 count 57

The top portion of Figure 10-5 shows an example of a TCP packet displayed from the capture session named "test." Only the basic IP and TCP information is shown. This format is useful if you are looking at a list of packets as a record of traffic flow.

Figure 10-5. Examples of Different show capture Output Formats

To see more detail about the captured packets, you can add the detail keyword to the show capture command. The same sample packet is shown in the middle of Figure 10-5. Here, the source and destination MAC addresses are shown along with the IP addresses. Many IP and TCP fields contained in the packet are also shown.

Until this point, only the packet header information has been displayed. You can also see the contents of the packet payload (up to packet-length bytes, as given in the capture command) by using the dump keyword. The bottom portion of Figure 10-5 shows the sample packet in the dumpformat.

The captured IP packet contents are shown as a hexadecimal decode, along with the ASCII equivalent of each byte.

Using a Capture Session to Display Trunk Contents

You can also use a capture session to capture and decode packets traveling over a trunking interface. In the following example, interface ethernet0 is configured as an 802.1Q trunk, passing VLANs 41 (interface dmz3) and 998 (interface outside). A capture session named "trunk-test" is enabled on the outside interface, with no access list as a filter:

PIX 6.x

Firewall(config)# interface ethernet0 auto Firewall(config)# interface ethernet0 vlan41 physical Firewall(config)# interface ethernet0 vlan998 logical Firewall(config)# nameif vlan998 outside security0 Firewall(config)# nameif vlan41 dmz3 security20 Firewall(config)# exit Firewall# capture trunk-test interface outside

PIX 7.x

Firewall(config)# interface ethernet0 Firewall(config-if)# no shutdown Firewall(config-if)# interface ethernet0.41 Firewall(config-if)# vlan 41 Firewall(config-if)# nameif dmz3 Firewall(config-if)# security-level 20 Firewall(config-if)# interface ethernet0.998 Firewall(config-if)# vlan 998 Firewall(config-if)# nameif outside Firewall(config-if)# security-level 0 Firewall(config-if)# exit Firewall(config)# exit Firewall# capture trunk-test interface outside

When the capture buffer is displayed, notice how each packet is shown along with its 802.1Q VLAN number tag:

Firewall# show capture trunk-test 4434 packets captured 00:52:55.034116 802.1Q vlan#998 P0 arp reply 172.16.89.191 is-at 0:d:28:a7:83:80 (0:d:28:a7:83:80) 00:52:55.034589 802.1Q vlan#998 P0 arp reply 172.16.89.191 is-at 0:c:30:10:26:0 (0:c:30:10:26:0) 00:52:55.860902 802.1Q vlan#998 P0 arp who-has 172.16.89.253 tell 128.163.89.11 00:52:55.860978 802.1Q vlan#998 P0 arp who-has 172.16.89.254 tell 128.163.89.11 00:53:01.841844 802.1Q vlan#998 P0 172.21.4.6.3862 > 172.16.89.161.23: S 2411823264:2411823264(0) win 65520 <mss 1260,nop,nop,sackOK> [output deleted]

Some firewall documentation explains that you should configure the capture session to collect only VLAN or 802.1Q EtherTypes by adding the vlan or 802.1q keywords, respectively. As of PIX 6.3(3), this isn't necessary. The firewall interprets the 802.1Q encapsulation correctly with a normal capture session definition.

Copying Capture Buffer Contents

Sometimes you might find that viewing the contents of a capture buffer from a command-line interface (CLI) becomes too cumbersome or confusing. This can happen when the capture buffer becomes very largetoo large to navigate with CLI commands or display filters.

At other times, the capture buffer might contain useful information that deserves further review. For example, you might have a PC-based tool that can import captured data for viewing and analysis. You also might want to archive the capture buffer for future use. You can extract a capture buffer from a firewall in several ways, as discussed in the following sections.

Copying to an External TFTP Server

You can copy a capture session to a TFTP server with the following command:

Firewall# copy capture:capture-name tftp://server/path [pcap]

The entire buffer from the capture session named capture-name is copied to the TFTP server at IP address server into the file and directory defined by path, which is relative to the TFTP server's root directory.

In the following, the capture session named bigtest is copied to the TFTP server at 192.168.254.10 as file bigtest in the TFTP root directory:

Firewall# copy capture:bigtest tftp://192.168.254.10/bigtest

The resulting capture file contains the same text that is seen with the show capture command. You can also save the capture buffer in the PCAP format, which can be imported into many network analysis tools. To do this, add the pcap keyword.

TIP

The PCAP capture file format is used by the tcpdump analysis utility. It can be imported directly into the Ethereal network analysis application. It can also be converted and imported into other commercial network analysis tools. You can go to http://www.tcpdump.org for more information about tcpdump and PCAP. See http://www.ethereal.com for more about the Ethereal application.

Copying the Capture Buffer to a Web Browser

From a web browser, you can display a capture buffer as if you had used the show capture command. You also can download the capture buffer in PCAP format and save it as a fileall without leaving your web browser and without needing a TFTP server running on your PC. Follow these steps to accomplish this:

1.

Enable the HTTP server on the firewall:

Firewall(config)# http ip-address subnet-mask interface Firewall(config)# http enable The firewall's HTTP server allows connections from the ip-address and subnet-mask locations, originating on the firewall interface named interface. Usually, it is best to enable HTTP access only on a secure or trusted interface.

2.

Open a web browser to this URL:

https://firewall_address/capture/capture_name[/pcap]

The capture web page is found at the firewall interface given by IP address firewall-address. The capture session named capture_name is downloaded to the browser window, as if you had used the show capture firewall command. As soon as the text is displayed, you can save it in a file through your browser application.

Figure 10-6 shows the capture session named Aserver-in from the firewall at 192.168.254.1 displayed in a browser window.

Figure 10-6. Displaying a Capture Buffer in a Web Browser

You can also use the web browser to download the capture buffer as a file in PCAP format. To do this, add the /pcap keyword to the end of the URL. This time, the browser automatically fetches the capture file rather than displaying the capture text. Figure 10-7 shows an example of saving the capture session named icmp from the firewall at 192.168.254.1 to the local machine. Notice that the browser saves the capture data to a file called pcap by default. You can change the filename and location through the web browser's file download dialog box.

Figure 10-7. Downloading a Capture Buffer Through a Web Browser

As soon as you have the capture file downloaded in PCAP format, you can use a network analysis tool to examine and interpret the contents. For example, Ethereal is a free network protocol analyzer (http://www.ethereal.com) that can import PCAP files directly. Figure 10-8 shows how Ethereal has been used to open the sample Aserver-in capture file.

Figure 10-8. A Sample Capture Buffer Opened in Ethereal

Likewise, you can use other commercial protocol analyzers as long as they can convert or import the PCAP file format. Figures 10-9 and 10-10 show how the EtherPeek NX protocol analyzer (http://www.wildpackets.com) can be used to convert and import the capture file. Notice that the ProConvert tool is used first to convert the PCAP (tcpdump) file into EtherPeek format.

Figure 10-9. Using the WildPackets ProConvert Capture Conversion Utility

Figure 10-10. A Sample Capture Buffer Opened in EtherPeek NX

Controlling a Capture Session

After a capture session is defined and activated, you might need to stop it as soon as some interesting data is captured. You might also want to clear the buffer so that new data can be captured in an empty buffer. When you are finished with a capture session, you need to delete it.

You can use the following commands to control an existing capture session:

Firewall# clear capture capture_name

Empties the capture buffer and retains the session

Firewall# no capture capture_name interface if_name

Stops the capture, detaches it from the interface, and retains the capture session and buffer

Firewall# no capture capture_name access-list acl_name

Stops the capture, detaches the access list from it, and retains the capture session and buffer

Firewall# no capture capture_name

Deletes a capture session and the capture buffer

A Capture Example

A firewall separates a web server on the inside from a user on the outside. The web server has worked correctly in the past, but users are calling to complain that they can't get the server to respond with valid browser content. Naturally, the user believes the firewall is to blame!

You find that you can ping both the user and the web server from the firewall. As well, the outside user can ping the web server through the firewall. After inspecting the firewall configuration, you also find that the address translation and access list definitions look correct. You also spend some time searching the Syslog archives for any messages that might indicate that the firewall is somehow blocking the HTTP connections. Unfortunately, you don't see anything interesting.

The capture feature can provide some low-level data about this problem. Because you can configure multiple capture sessions, it is wise to capture this traffic flow on both the outside and inside interfaces. If you can see what packets have arrived on both sides of the firewall, you're more likely to see the traffic from the firewall's perspective.

First, you configure two access listsone for each firewall interface, configured to permit traffic between the user's PC and the web server. These access lists will trigger the capture for packets that match the permit statements.

Figure 10-11 shows a simple network diagram of this scenario. The web server is at 172.19.32.9 (the local address) on the inside, and it has a static translation to 10.4.4.10 (the global address) on the outside. The user PC is at 10.4.4.33 on the outside.

Figure 10-11. A Network Diagram for the Capture Example

You define the following access lists:

Firewall(config)# access-list cap_outside permit ip any host 10.4.4.10 Firewall(config)# access-list cap_outside permit ip host 10.4.4.10 any Firewall(config)# access-list cap_inside permit ip any host 172.19.32.9 Firewall(config)# access-list cap_inside permit ip host 172.19.32.9 any

Next, you define and enable the two capture sessions:

Firewall# capture web_inside access-list cap_inside interface inside Firewall# capture web_outside access-list cap_outside interface outside

Now you instruct the user to try opening a web browser to the web server's URL. As soon as that happens, you can display the contents of both capture buffers as follows:

Firewall# show capture web_outside 2 packets captured 19:24:27.241885 10.4.4.33.1193 > 10.4.4.10.80: S 3375443541:3375443541(0) win 4096 <mss 1460> 19:24:27.242403 10.4.4.10.80 > 10.4.4.33.1193: R 917139784:917139784(0) ack 3375443542 win 0

Here, only two packets are seen at the firewall's outside interface:

  • A packet from the user's PC to the web server (TCP port 80) with the TCP SYN flag set (S).

  • A reply from the web server address to the user's PC.

Why are there only two packets when there should be at least a three-way TCP handshake? A clue is present, because the return packet has the TCP RST flag set (R). Something has caused the connection to be reset before it has been established.

A look at the capture on the inside interface might provide some evidence about who is resetting the HTTP connections:

Firewall# show capture web_inside 2 packets captured 19:23:56.171469 10.4.4.33.1192 > 172.19.32.9.80: S 2178639828:2178639828(0) win 4096 <mss 1380> 19:23:56.171759 172.19.32.9.80 > 10.4.4.33.1192: R 0:0(0) ack 2178639829 win 0

Again, only two packets are seen at the inside interface. The reply packet that has reset the connection did indeed come from the web server's IP address on the inside. In fact, the RST flag (R) was already set when the packet arrived at the firewall's inside interface. Therefore, you can conclude that something is misconfigured on the web server that causes it to deny or reset every HTTP connection. The problem is not within the firewall.

Using Debug Packet

In FWSM 2.x and PIX 6.x, you can enable a single debug packet session so that the firewall reports how it has handled packets from specific traffic flows. This feature is not available beginning with PIX 7.x.

Only the debug messages are displayed to the trace channel, or the first active Telnet session open to the firewall. No packets are captured or stored during the debug packet session. However, the packet header and upper-layer protocol headers are shown in the debug messages. As well, up to 50 bytes of the packet payload contents are displayed in hex and ASCII.

TIP

A debug session can impact the performance of a busy firewall. The firewall must match packets as it inspects them and generate the appropriate debug information. Obviously, adding this process to the Adaptive Security Algorithm can also add significant delays to the firewall's throughput. Because debug output is also sent to a management session interactively, as matching packets are forwarded, a terminal session can become so congested with output that it becomes unusable.

As soon as the debug output begins, be ready to stop it by entering the no debug packet interface-name command.

If your terminal session is unresponsive and you can't enter the command, start a new terminal session (preferably through Telnet or SSH) and enter the command from there.

Be aware that the no debug all and undebug all commands have no effect on the debug packet session. Debug packet is a special type of debug session and must be disabled explicitly.

You can define and activate a packet debug session with the following command:

Firewall# debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto {tcp | udp} [sport src_port] [dport dest_port]] [rx | tx | both]

The debug process displays only packets matching a set of parameters. The packets also must pass through the firewall interface named if_name (outside, for example) in the receive direction (rx, or inbound), the transmit direction (tx, or outbound), or either direction (both, inbound or outbound).

You can (and should) be as specific as possible in identifying the debugged traffic. You can use the src and dst keywords to specify the source address and destination address, respectively. If you also provide a netmask, it follows the normal subnet mask format (a 1 bit matches, and a 0 bit is a wildcard). You can match a protocol as ICMP (proto icmp), UDP (proto udp), or TCP (proto tcp), and the source and destination port numbers (sport and dport) if needed.

You can select the traffic direction, relative to the interface if_name, as receive only (rx), transmit only (tx), or in both directions (both).

As a simple example, the following debug packet command is used to verify how a firewall handles an ICMP echo request from a host on the outside (172.21.4.6) to a host on the inside (global address 10.63.89.161, local address 192.168.199.100):

Firewall# debug packet outside dst 10.63.89.161 both --------- PACKET --------- -- IP -- 172.21.4.6==>10.63.89.161 ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c id = 0xf3a8 flags = 0x0 frag off=0x0 ttl = 0x7e proto=0x1 chksum = 0xbeb8 -- ICMP -- type = 0x8 code = 0x0 checksum=0x485c identifier = 0x400 seq = 0x100 -- DATA -- 00000010: 61 62 63 64 | abcd 00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst 00000030: 75 76 77 61 62 63 64 65 66 67 68 69 a1 | uvwabcdefghi. --------- END OF PACKET --------- --------- PACKET --------- -- IP -- 172.21.4.6==>192.168.199.100 ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c id = 0xf3a8 flags = 0x0 frag off=0x0 ttl = 0x7e proto=0x1 chksum = 0x10f0 -- ICMP -- type = 0x8 code = 0x0 checksum=0x485c identifier = 0x400 seq = 0x100 -- DATA -- 00000010: 61 62 63 64 | abcd 00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst 00000030: 75 76 77 61 62 63 64 65 66 67 68 69 a1 | uvwabcdefghi. --------- END OF PACKET --------- --------- PACKET --------- -- IP -- 192.168.199.100==>172.21.4.6 ver = 0x4 hlen = 0x5 tos = 0x0 tlen = 0x3c id = 0xf3a8 flags = 0x0 frag off=0x0 ttl = 0xff proto=0x1 chksum = 0x8fef -- ICMP -- type = 0x0 code = 0x0 checksum=0x505c identifier = 0x400 seq = 0x100 -- DATA -- 00000010: 61 62 63 64 | abcd 00000020: 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 | efghijklmnopqrst 00000030: 75 76 77 61 62 63 64 65 66 67 68 69 a1 | uvwabcdefghi. --------- END OF PACKET --------- Firewall# no debug packet outside

Notice that the first inbound packet is destined for the global address of the internal host. The firewall displays the second packet when it performs the address translation, with a new destination of the local address. The third packet is the echo reply from the internal host.

    Категории