Re: Debug Router Traffic

k.moser · ‎12-21-2009

I am having a problem routing ip traffic with port numbers from one LAN to another.

I have two networks 192.168 and 10.100. I can successfully connect to devices from the 192 network to the 10 network and from the 10 network to the 192 network. I am also able to access the internet via a proxy sitting on the 192 network from the 10 network.

My problem is that when I try to connect to an IP using s specific port number (for example FTP). I am unable to connect from the 10 network to an ftp server on the 192 network. I am also unable to connect from the 10 network to an FTP server on the internet.

To complicate matters I am unble to determine the route the ftp traffic is going (from the 1 network). I have plaed wireshark on the 10 network and the 192 network and see the packets leaving the workstatiion but not being ACKnowledged. I also do not see the traffic being received on the 192 network.

I have run several debug commands on the router (for IP packets, access-lists, NAT etc) but do not see this traffic on the router. I enabled IP accounting and still do not see the (FTP) traffic).

I included the config for your review.

Can anyone tell me what other commands (debug or other) I can use on the router to 'find' this traffic so I can determine where it is going soI can resolve the issue?

Thanks,

Kerry

ohassairi · ‎12-21-2009

in your config you r defining acl 127 and 128 under g0/1/0 but these acl r not defined! r they missing or what?

interface GigabitEthernet0/1/0
Desc 2nd LAN
ip address 10.100.0.1 255.255.128.0
ip access-group 128 in
ip access-group 127 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip nat inside
negotiation auto

also we need what is the exact test you made: source ip ? destination ip? tool to make the test (telnet, software,...)

k.moser · ‎12-23-2009

As an additional test and to make sure an ACL wasn't stopping traffic I created these two ACLs but did not define them. I did this to pass all traffic.

(creating an ACL that isn't defined will pass ALL traffic).

Also the tests I am using from the 10 network to the 192 network and from the 10 network to the internet are as follows:

1. FTP - ftpzilla - source ip: 10.100.45.32 dest. ip: 192.168.1.5

source ip: 10.100.45.32 dest. ip: ftp.windstream.net

2. iStation test software - source ip 10.100.45.32 dest. ip / port: app2.istation.com / 12500

pompeychimes · ‎12-23-2009

Take all IP access-groups statment's of each interface and try the FTP again. If it still doesn't work source an FTP from the Router interface closest to the FTP Server.

telnet x.x.x.x 21 /source-interface interface

James

k.moser · ‎01-05-2010

Removed ACLs from all interfaces,here are the results:

- FTP From 10 network to 192 network - works

- FTP from 10 network to ftp site on internet - does not work

- FTP from router (using 10 as source) to ftp site on 192 - does not work

- FTP from router (using 192 as source) to ftp site on 192 - works

- FTP from router (using 10 as source) to ftp site on internet - does not work

- FTP from router (using 192 as source) to ftp site on internet - does not work

pompeychimes · ‎01-05-2010

Add the 10 network to ACL 10.