11-07-2012 08:36 PM - edited 03-11-2019 05:20 PM
Hi Everyone,
We have some customer sites.
Some traffic goes through the FW and some does not touch the fw.
Is there any way that i can determine which subnets or IP address does not touch the FW means it bypass the traffic.
hope it makes sense.
Thanks
Mahesh
Solved! Go to Solution.
11-07-2012 11:58 PM
It's probably best to start with the routes on the FW and see if there is any routes for those subnet that do not touch the FW, then you can be sure that it is not going through the FW if there is no route back towards those subnets.
11-08-2012 12:53 PM
Right, but your asa must have access lists right? Otherwise why is it there?
You can create entries in the inbound and outbound access lists which permit the traffic. If they are not already there.
When you do a show access-list it also shows you the hitcnt for each rule. If the traffic is going through it will increment. If not it will stay 0.
This will use less resources than a packet capture and can be left in place.
Sent from Cisco Technical Support iPad App
11-08-2012 01:13 PM
Hello Mahesh,
You can do captures to correlate what packets reach the ASA,
Check the routing table on the devices on X subnet ( to check if the packet's have the ASA as a next hop)
Configure the ASA to decrement the TTL field ( so it's not transparent any more for the traceroute and perform traceroutes from the clients PC
Regards,
Julio
11-08-2012 03:39 PM
Hi Mahesh,
Yes, you are right.
Check the routing table on the ASA and see if there is any specific routes configured or all the routes are with larger mask. If most routes are specific routes configured on the ASA, then you can savely say that those subnets that are not in the routing table of the ASA does not pass through the ASA.
Hope that helps.
11-07-2012 11:58 PM
It's probably best to start with the routes on the FW and see if there is any routes for those subnet that do not touch the FW, then you can be sure that it is not going through the FW if there is no route back towards those subnets.
11-08-2012 06:25 AM
you can check through the packet capture on cisco firewall for that subnet.... for which you have dowubt....
11-08-2012 11:04 AM
Hi Jeniffer,
Thanks for reply.
ASA is not using dynamic routing protocols.
So i can look to static routes like route outside x.x.x.x and then figure out if traffic is bypassing ASA or not right?
Please confirm
Thanks
MAhesh
11-08-2012 03:39 PM
Hi Mahesh,
Yes, you are right.
Check the routing table on the ASA and see if there is any specific routes configured or all the routes are with larger mask. If most routes are specific routes configured on the ASA, then you can savely say that those subnets that are not in the routing table of the ASA does not pass through the ASA.
Hope that helps.
11-08-2012 06:34 PM
Hi Jeniffer & others
Many thanks to everyone for their reply back
Regards
Mahesh
11-08-2012 08:14 AM
If you show access-list and the hit count is 0 the traffic is not going through
You can also add specific permits in front of general permits to narrow the issue down a bit further
Sent from Cisco Technical Support iPad App
11-08-2012 11:12 AM
Hi Stuart,
My question was
I mean to say that we have client where certain traffic goes through the ASA and some traffic bypass the ASA - i mean never
touches the ASA.So how can we check which subnets bypass the ASA.
Thanks
MAhesh
11-08-2012 12:53 PM
Right, but your asa must have access lists right? Otherwise why is it there?
You can create entries in the inbound and outbound access lists which permit the traffic. If they are not already there.
When you do a show access-list it also shows you the hitcnt for each rule. If the traffic is going through it will increment. If not it will stay 0.
This will use less resources than a packet capture and can be left in place.
Sent from Cisco Technical Support iPad App
11-08-2012 01:13 PM
Hello Mahesh,
You can do captures to correlate what packets reach the ASA,
Check the routing table on the devices on X subnet ( to check if the packet's have the ASA as a next hop)
Configure the ASA to decrement the TTL field ( so it's not transparent any more for the traceroute and perform traceroutes from the clients PC
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide