Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
4
Replies

ARP NAT Hell!

jason
Level 1
Level 1

‎06-25-2014 06:09 AM - edited ‎03-07-2019 07:49 PM

 

Hi All,

 

Please see the attached diagram.

I have a customer whose AAA server is behind a firewall. It will only accept RADIUS packets from one source address - 192.168.46.1

In order to facilitate this, I have added a router to statically NAT the RADIUS source to  the correct address.

From the WLC (RADIUS source) I can ping the 46.1 address of the router. I cannot ping the 46.254 address from the WLC

From the router however, I can ping 46.252 - 254 so I know they reply. I have assumed that the non-Cisco firewall is running VRRP with .254 as the VIP.

If I send a test RADIUS auth request from the WLC, I see the router translate the outbound packets but nothing comes back.

Any thoughts anyone?

Labels:
Preview file
125 KB
0 Helpful
4 Replies 4

Robert Falconer
Level 1
Level 1

‎06-25-2014 08:34 AM

Couple of thoughts/questions

How is that firewall working? Is it just a L2/Virtual Wire setup? By the looks of the connections and IP addresses, it must be L2. But any time I've worked on firewalls at L2, they don't have IP addresses assigned to their interfaces that pass traffic. That's usually done in a routed configuration and they are on different subnets. These are on the same subnet but are on 2 different interfaces.

The MAC addresses look odd also, a little off from typical vrrp. If the firewall was running vrrp on .254, then it should be in the arp table, which it's not included in the snippet you provided. The mac address for .252 indicates the vendor is Nexcom, which I'm not familiar with.

Also, if there's vrrp, is there a second firewall unit not shown on your drawing? Can you ping the radius server from the router?

0 Helpful

jason
Level 1
Level 1
In response to Robert Falconer

‎06-26-2014 03:29 AM

Hi there,

 

The firewall must be in routed mode.

I agree that the MAC addresses look messed up:

Internet  192.168.46.254          0   0000.5e00.0002  ARPA   FastEthernet0/0

Internet  192.168.46.252         84   0010.f333.c916  ARPA   FastEthernet0/0

Internet  192.168.46.253          0   0000.5e00.0002  ARPA   FastEthernet0/0

Internet  192.168.46.250        144   0000.5e00.0002  ARPA   FastEthernet0/0

Internet  192.168.46.251        144   0000.5e00.0002  ARPA   FastEthernet0/0

I have recreated the environment in GNS3 and it works perfectly. That is with a router interface mimicking the customer firewall.

 

The site firewall is a pair of appliances which my drawing does not show.

They must be NATing the 192.168.46.x/24 network to another private subnet where the RADIUS server resides.

In answer to your question, I cannot ping the RADIUS server from the router but I am told by their security team that there is an ACL blocking inbound ICMP requests.

 


 

0 Helpful

Robert Falconer
Level 1
Level 1
In response to jason

‎06-26-2014 08:18 AM

What does the security team see in their logs for the RADIUS attempts from .46.1?

0 Helpful

jason
Level 1
Level 1
In response to Robert Falconer

‎06-26-2014 08:44 AM

That their firewall config was bunkum.

They have amended their config and it's all working fine :)

Thank you for your input. Logic said that the problem was on their side but the ICMP issue threw me.

Thanks again,

 

Jason

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card