This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We have a server looking to communicate through both a firewall and a router set up with a VPN to a remote public address on a certain port. The opposite end complains that they can send and receive traffic successfully when they initiate the connection from their end but cannot see traffic when we initiate. The setup is as follows:

Server > Firewall > router (with IPsec VPN tunnel) > Internet < router (with IPsec VPN tunnel) < RemoteServer

We do not have access to the local VPN router's configs so we want to make sure traffic is getting to it from our firewall properly for it to then transmit across the net to the remote end.

Lets say our server at 192.168.aaa.aa2/24 initiates the communication by sending a request to the end IP of 157.xxx.xxx.xx5 on port 32xxx. The packet's first checkpoint is the firewall, where it gets translated from the internal interface of the firewall (192.168.aaa.aa1/24) to the external interface (192.168.bbb.bb2/30) which faces the internal interface of the VPN router (192.168.bbb.bb1/30). So, with Wireshark sitting between the firewall's external interface and the VPN router's internal interface, we see traffic with a source address of 192.168.bbb.bb2 and destination address of 157.xxx.xxx.xx5, but then it gets confusing as far as ports go when we see this: 49xxx > 32xxx. It's a SYN packet with the source port as 49xxx and destination port as the intended target port of the remote end which is 32xxx.

The question is, what does this mean and what should the VPN router see coming from the firewall? Is there a NAT that is not happening properly? The 49xxx number varies and I'm not sure where that number is coming from. Any assistance would help. Thanks.

asked 19 Jun '13, 06:54

johnnybiggles's gravatar image

johnnybiggles
1111
accept rate: 0%


The opposite end complains that they can send and receive traffic successfully when they initiate the connection from their end but cannot see traffic when we initiate.

That's because of the NAT on your firewall.

Eplanation:

They connect:

Regards
Kurt

permanent link

answered 19 Jun '13, 07:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Jun '13, 07:45

When we spoke with them, we had them configure the VPN router to communicate with our external interface of the firewall instead of the server so it should expect traffic from that address already translated as the source. So could you explain more in detail what you mean and a possible workaround if what we have is not correct?

(19 Jun '13, 07:54) johnnybiggles

When we spoke with them, we had them configure the VPN router to communicate with our external interface of the firewall instead of the server so it should expect traffic from that address already translated as the source. So could you explain more in detail what you mean and a possible workaround if what we have is not correct?

(19 Jun '13, 10:49) johnnybiggles
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×45
×40
×23
×17
×12

question asked: 19 Jun '13, 06:54

question was seen: 1,862 times

last updated: 19 Jun '13, 12:07

p​o​w​e​r​e​d by O​S​Q​A