When doing a packet capture on an adtran, as referenced here:
https://supportforums.adtran.com/thread/1442
When is the packet captured for inbound WAN traffic? Before or after the firewall?
What I want to find out is if the firewall is dropping the packet or not. If the capture happens after the firewall, the test would not be a valid test, however, if it is before the Adtran takes and firewall or NAT actions, then I should have a good test.
Thanks!
@andrew-jive - Thanks for posting your question on the forum!
To answer your question, the packet capture will show the packet before the firewall takes any action on it. For example, if you were attempting to get a packet capture of pings hitting the NetVanta WAN IP, and pings were being blocked on the firewall, you would still see the packet hit the router and in your debug before the firewall dropped it.
If the unit is running a firewall, you will probably see every packet twice (once entering the firewall & once leaving, depending on the ACL you are using); the second may be after a NAT process if NAT is enabled. Furthermore, if the traffic is across a VPN, the second packet will not be seen since it enters/leaves the router encapsulated in VPN.
Let us know if you have any further questions.
Thanks,
Noor
@andrew-jive - Thanks for posting your question on the forum!
To answer your question, the packet capture will show the packet before the firewall takes any action on it. For example, if you were attempting to get a packet capture of pings hitting the NetVanta WAN IP, and pings were being blocked on the firewall, you would still see the packet hit the router and in your debug before the firewall dropped it.
If the unit is running a firewall, you will probably see every packet twice (once entering the firewall & once leaving, depending on the ACL you are using); the second may be after a NAT process if NAT is enabled. Furthermore, if the traffic is across a VPN, the second packet will not be seen since it enters/leaves the router encapsulated in VPN.
Let us know if you have any further questions.
Thanks,
Noor
Noor,
Thanks, for some reason when I capture, I'm not seeing the double you speak of for any of the inbound traffic. I do however, see double (before and after NAT) for the outbound traffic.
All I have setup is the following:
ip access-list extended TEST
permit udp any any range 5060 5061
!
then I run:
debug ip packet TEST dump
@andrew-jive - Could you post your access-policies, ACLs referenced in the access-policies, and which interfaces they are assigned to? Please remember to remove any information that may be sensitive to your network.
Thanks,
Noor
!
!
interface eth 0/1
ip address 192.168.103.1 255.255.255.0
ip address 3.3.3.3 255.255.255.248 secondary
access-policy Private
media-gateway ip primary
no shutdown
!
!
interface t1 0/1
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
!
interface ppp 1
description ppp 1
ip address 1.1.1.2 255.255.255.252
access-policy Public
media-gateway ip primary
qos-policy out ppp1QosWizard
no shutdown
cross-connect 1 t1 0/1 1 ppp 1
!
!
!
ip access-list standard jiveAllow
remark Allow list jiveAllow
permit 4.4.4.4 0.0.3.255
permit 4.4.4.4 0.0.3.255
!
ip access-list standard srcLAN
permit 3.3.3.3 0.0.0.7
!
ip access-list standard voiceLAN
permit 192.168.103.0 0.0.0.255
!
ip access-list standard wizard-ics
remark NAT list wizard-ics
permit any
!
!
ip access-list extended adminAccess
permit tcp any host 1.1.1.2 eq ssh
permit tcp any host 1.1.1.2 eq https
permit icmp any host 1.1.1.2
!
ip access-list extended lanblock
permit ip any any
!
ip access-list extended self
remark Traffic to Total Access
permit ip any any log
!
ip access-list extended test
permit udp any any range 5060 5061
!
ip access-list extended web-acl-8
permit ip any any
!
!
ip policy-class Private
allow list self self
nat source list voiceLAN interface ppp 1 overload
allow list srcLAN
!
ip policy-class Public
allow list jiveAllow
allow list adminAccess self
allow list lanblock
!
!
Noor,
To update, I am seeing seeing some of the traffic before and after on the Inbound stream, but turns out it's only some of it. In particular, I'm looking at the NAT keep alives which are SIP OPTIONs. I've got a ticket in with support. I'd like to keep this tread going but I'm not comfortable posting the packet capture which is what will make the rest of this tread interesting
But in summary, I see all of the SIP options on the outside of the firewall, the second packet you would see is after the adtran NATs. I have several phones behind the Adtran, but I only see both packets before and after when the outside port is 5060. The rest of the session negotiate and off port, for all of these off port session, you only see the packet outside of the firewall and the packet never gets NAT'd in for some reason it appears.