Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > I need Help tracking down where packets are being dropped..

Reply
Thread Tools

I need Help tracking down where packets are being dropped..

 
 
Scott Townsend
Guest
Posts: n/a
 
      03-06-2007
I'm looking for a way to see traffic that is being dumped on a PIX VPN
Connection. I have Syslog set up to log all incoming packets and Denys and
that is working, though it does not seem to be logging the packets that the
VPN does not care about.

I have a VPN between 2 PIXes and both sides have other subnets behind them

10.3.x.y
10.1.x.y
PIX
Internet
PIX
10.2.x.y
10.6.x.y


10.2 can see everything
10.6 can only see 10.2
10.1 can see 10.2, 10.3
10.3 can see 10.2, 10.1


Can I set up a capture or something in the Syslog to help me figure out
where my issue in my Config is?

Thanks,
Scott<-


 
Reply With Quote
 
 
 
 
Havoc 25
Guest
Posts: n/a
 
      03-06-2007
You have many cookbooks regarding VPN scenarios on Cisco.com.

You can see dropped packets with "sh log | inc <ip address>... and open
connections with show conn, so try to troubleshoot your connection. Also
check your routing and ACL which defines which traffic should be encryped,
and which traffic should be involved in NAT (if you have one).

H.


"Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
news:VGfHh.828$(E-Mail Removed).. .
> I'm looking for a way to see traffic that is being dumped on a PIX VPN
> Connection. I have Syslog set up to log all incoming packets and Denys and
> that is working, though it does not seem to be logging the packets that
> the VPN does not care about.
>
> I have a VPN between 2 PIXes and both sides have other subnets behind them
>
> 10.3.x.y
> 10.1.x.y
> PIX
> Internet
> PIX
> 10.2.x.y
> 10.6.x.y
>
>
> 10.2 can see everything
> 10.6 can only see 10.2
> 10.1 can see 10.2, 10.3
> 10.3 can see 10.2, 10.1
>
>
> Can I set up a capture or something in the Syslog to help me figure out
> where my issue in my Config is?
>
> Thanks,
> Scott<-
>



 
Reply With Quote
 
 
 
 
Scott Townsend
Guest
Posts: n/a
 
      03-07-2007
Thank you for your Suggestions.

Though I do not see the Traffic I'm looking for.

I have a continuous ping set up from one side to the other.
Doing a sh log | inc <src|dst> returns nothing.

So maybe I should do this more by Example.

So on my ACLs I have the Following:

access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
255.255.0.0
access-list <ACL-Name> extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0
255.255.0.0
access-list <ACL-Name> extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0
255.255.0.0
access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.6.0.0
255.255.0.0
access-list <ACL-Name> extended permit ip 10.2.0.0 255.255.0.0 10.6.0.0
255.255.0.0
access-list <ACL-Name> extended permit ip 10.6.0.0 255.255.0.0 10.2.0.0
255.255.0.0

So I have 5 sets of the Above ACL where <ACL-Name> is one of the folloinw:
inside_nat
cryptomap_20
cryptomap_40
nat0_inbound
nat0_outbound

nat (outside) 0 access-list nat0_inbound outside
nat (inside) 0 access-list inside_nat

group-policy PIXB internal
group-policy PIXB attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cryptomap_40

crypto map olivet-dyn-map 20 match address cryptomap_20
crypto map olivet-dyn-map 20 set peer <PIXB IP>
crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA
crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet
crypto map olivet-dyn-map interface outside

So am I missing someghing? Is the Order of the entries in the ACLs make a
difference?

Thanks

"Havoc 25" <(E-Mail Removed)> wrote in message
news:eskcd7$chp$(E-Mail Removed)-com.hr...
> You have many cookbooks regarding VPN scenarios on Cisco.com.
>
> You can see dropped packets with "sh log | inc <ip address>... and open
> connections with show conn, so try to troubleshoot your connection. Also
> check your routing and ACL which defines which traffic should be encryped,
> and which traffic should be involved in NAT (if you have one).
>
> H.
>
>
> "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
> news:VGfHh.828$(E-Mail Removed).. .
>> I'm looking for a way to see traffic that is being dumped on a PIX VPN
>> Connection. I have Syslog set up to log all incoming packets and Denys
>> and that is working, though it does not seem to be logging the packets
>> that the VPN does not care about.
>>
>> I have a VPN between 2 PIXes and both sides have other subnets behind
>> them
>>
>> 10.3.x.y
>> 10.1.x.y
>> PIX
>> Internet
>> PIX
>> 10.2.x.y
>> 10.6.x.y
>>
>>
>> 10.2 can see everything
>> 10.6 can only see 10.2
>> 10.1 can see 10.2, 10.3
>> 10.3 can see 10.2, 10.1
>>
>>
>> Can I set up a capture or something in the Syslog to help me figure out
>> where my issue in my Config is?
>>
>> Thanks,
>> Scott<-
>>

>
>



 
Reply With Quote
 
Scott Townsend
Guest
Posts: n/a
 
      03-07-2007
So I've tried re-creating all the ACLs using object groups.

Now I've Managed:

10.3.x.y 10.11.x.y
router
10.1.x.y
PIX H Router O w/ FW -> PIX A
Internet Interent
PIX S
10.2.x.y
router
10.6.x.y

10.1 cant see anything at PIX B
10.11 can see all Subnets at PIX B
10.3 can see 10.2

object-group network NETWORK-OLIVET-ALL
network-object 10.11.0.0 255.255.0.0
object-group network NETWORK-SF-VPN
network-object 10.2.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
object-group network NETWORK-HBG-VPN
network-object 10.1.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0

From Each Site I have ACLs in the format
PIX H
access-list <ACL Name> extended permit ip object-group NETWORK-HBG-VPN
object-group NETWORK-SF-VPN
access-list <ACL Name> extended permit ip object-group NETWORK-HBG-VPN
object-group NETWORK-OLIVET-VPN

PIX S
access-list <ACL Name> extended permit ip object-group NETWORK-SF-VPN
object-group NETWORK-HBG-VPN

access-list <ACL Name> extended permit ip object-group NETWORK-SF-VPN
object-group NETWORK-OLIVET-VPN

I think I need to be a member of the Hair Club for men. I dont have much
left.

Thanks,
Scott<-

"Havoc 25" <(E-Mail Removed)> wrote in message
news:eskcd7$chp$(E-Mail Removed)-com.hr...
> You have many cookbooks regarding VPN scenarios on Cisco.com.
>
> You can see dropped packets with "sh log | inc <ip address>... and open
> connections with show conn, so try to troubleshoot your connection. Also
> check your routing and ACL which defines which traffic should be encryped,
> and which traffic should be involved in NAT (if you have one).
>
> H.
>
>
> "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
> news:VGfHh.828$(E-Mail Removed).. .
>> I'm looking for a way to see traffic that is being dumped on a PIX VPN
>> Connection. I have Syslog set up to log all incoming packets and Denys
>> and that is working, though it does not seem to be logging the packets
>> that the VPN does not care about.
>>
>> I have a VPN between 2 PIXes and both sides have other subnets behind
>> them
>>
>> 10.3.x.y
>> 10.1.x.y
>> PIX
>> Internet
>> PIX
>> 10.2.x.y
>> 10.6.x.y
>>
>>
>> 10.2 can see everything
>> 10.6 can only see 10.2
>> 10.1 can see 10.2, 10.3
>> 10.3 can see 10.2, 10.1
>>
>>
>> Can I set up a capture or something in the Syslog to help me figure out
>> where my issue in my Config is?
>>
>> Thanks,
>> Scott<-
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Tracking the RTP Packets Send. soumenrchow@gmail.com Perl Misc 0 05-18-2007 11:36 AM
Tracking Someone Tracking Me Edw. Peach Computer Security 4 07-07-2005 05:50 PM
need help tracking down an abusing emailer Tony A+ Certification 6 09-24-2004 01:52 PM
Need help tracking down email spoofer Bobby Computer Support 6 12-29-2003 07:45 AM
Please help with tracking lost packets via Cisco 2524?? Joshua Colvin Cisco 2 10-23-2003 01:35 PM



Advertisments