cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
695
Views
0
Helpful
9
Replies

How to tell if traffic is bypassing FW or not?

mahesh18
Frequent Contributor
Frequent Contributor

Hi Everyone,

We have some customer sites.

Some traffic goes through the FW  and some does not touch the fw.

Is there any way that i can determine which subnets or IP address does not touch the FW  means it bypass the traffic.

hope it makes sense.

Thanks

Mahesh

4 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

It's probably best to start with the routes on the FW and see if there is any routes for those subnet that do not touch the FW, then you can be sure that it is not going through the FW if there is no route back towards those subnets.

View solution in original post

Right, but your asa must have access lists right? Otherwise why is it there?

You can create entries in the inbound and outbound access lists which permit the traffic. If they are not already there.
When you do a show access-list it also shows you the hitcnt for each rule. If the traffic is going through it will increment. If not it will stay 0.
This will use less resources than a packet capture and can be left in place.

Sent from Cisco Technical Support iPad App

View solution in original post

Hello Mahesh,

You can do captures to correlate what packets reach the ASA,

Check the routing table on the devices on X subnet ( to check if the packet's have the ASA as a next hop)

Configure the ASA to decrement the TTL field ( so it's not transparent any more for the traceroute and perform traceroutes from the clients PC

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hi Mahesh,

Yes, you are right.

Check the routing table on the ASA and see if there is any specific routes configured or all the routes are with larger mask. If most routes are specific routes configured on the ASA, then you can savely say that those subnets that are not in the routing table of the ASA does not pass through the ASA.

Hope that helps.

View solution in original post

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

It's probably best to start with the routes on the FW and see if there is any routes for those subnet that do not touch the FW, then you can be sure that it is not going through the FW if there is no route back towards those subnets.

you can check through the packet capture on cisco firewall for that subnet.... for which you have dowubt....

Hi Jeniffer,

Thanks for reply.

ASA is not using dynamic routing protocols.

So i can look to static routes like route outside x.x.x.x  and then figure out if traffic is bypassing ASA  or not right?

Please confirm

Thanks

MAhesh

Hi Mahesh,

Yes, you are right.

Check the routing table on the ASA and see if there is any specific routes configured or all the routes are with larger mask. If most routes are specific routes configured on the ASA, then you can savely say that those subnets that are not in the routing table of the ASA does not pass through the ASA.

Hope that helps.

Hi Jeniffer & others

Many thanks to everyone for their reply back

Regards

Mahesh

Stuart Gall
Beginner
Beginner

If you show access-list and the hit count is 0 the traffic is not going through

You can also add specific permits in front of general permits to narrow the issue down a bit further

Sent from Cisco Technical Support iPad App

mahesh18
Frequent Contributor
Frequent Contributor

Hi Stuart,

My question was

I mean to say that we have client where certain traffic goes through the ASA  and some traffic bypass the ASA  - i mean never

touches the ASA.So how can we check which subnets  bypass the ASA.

Thanks

MAhesh

Right, but your asa must have access lists right? Otherwise why is it there?

You can create entries in the inbound and outbound access lists which permit the traffic. If they are not already there.
When you do a show access-list it also shows you the hitcnt for each rule. If the traffic is going through it will increment. If not it will stay 0.
This will use less resources than a packet capture and can be left in place.

Sent from Cisco Technical Support iPad App

Hello Mahesh,

You can do captures to correlate what packets reach the ASA,

Check the routing table on the devices on X subnet ( to check if the packet's have the ASA as a next hop)

Configure the ASA to decrement the TTL field ( so it's not transparent any more for the traceroute and perform traceroutes from the clients PC

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers