This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reading output between FW and router

0

We have a server looking to communicate through both a firewall and a router set up with a VPN to a remote public address on a certain port. The opposite end complains that they can send and receive traffic successfully when they initiate the connection from their end but cannot see traffic when we initiate. The setup is as follows:

Server > Firewall > router (with IPsec VPN tunnel) > Internet < router (with IPsec VPN tunnel) < RemoteServer

We do not have access to the local VPN router's configs so we want to make sure traffic is getting to it from our firewall properly for it to then transmit across the net to the remote end.

Lets say our server at 192.168.aaa.aa2/24 initiates the communication by sending a request to the end IP of 157.xxx.xxx.xx5 on port 32xxx. The packet's first checkpoint is the firewall, where it gets translated from the internal interface of the firewall (192.168.aaa.aa1/24) to the external interface (192.168.bbb.bb2/30) which faces the internal interface of the VPN router (192.168.bbb.bb1/30). So, with Wireshark sitting between the firewall's external interface and the VPN router's internal interface, we see traffic with a source address of 192.168.bbb.bb2 and destination address of 157.xxx.xxx.xx5, but then it gets confusing as far as ports go when we see this: 49xxx > 32xxx. It's a SYN packet with the source port as 49xxx and destination port as the intended target port of the remote end which is 32xxx.

The question is, what does this mean and what should the VPN router see coming from the firewall? Is there a NAT that is not happening properly? The 49xxx number varies and I'm not sure where that number is coming from. Any assistance would help. Thanks.

asked 19 Jun '13, 06:54

johnnybiggles's gravatar image

johnnybiggles
1111
accept rate: 0%


One Answer:

0

The opposite end complains that they can send and receive traffic successfully when they initiate the connection from their end but cannot see traffic when we initiate.

That's because of the NAT on your firewall.

Eplanation:

They connect:

Regards
Kurt

answered 19 Jun '13, 07:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Jun '13, 07:45

When we spoke with them, we had them configure the VPN router to communicate with our external interface of the firewall instead of the server so it should expect traffic from that address already translated as the source. So could you explain more in detail what you mean and a possible workaround if what we have is not correct?

(19 Jun '13, 07:54) johnnybiggles

When we spoke with them, we had them configure the VPN router to communicate with our external interface of the firewall instead of the server so it should expect traffic from that address already translated as the source. So could you explain more in detail what you mean and a possible workaround if what we have is not correct?

(19 Jun '13, 10:49) johnnybiggles