Re: Routing or ACL - unable to reach traffic to firewall

habeebuddin786 · ‎10-12-2011

Hello folks,

I have a requirement to open up HTTPS world from internet to one of the url from internet. the public IP is 73.109.101.80 which is natted to 10.10.10.80 and i created the policy on juniper firewall from untrust Any to Trust 73.109.101.80 with port 443.

But when i try to hit the IP or URL the traffic is not reaching to firewall. Before reaching to firewall the traffic from internet should reach first to border router (BR) then reaches to front office router (FOR). We have three firewall clusters (Fw01/02), (Fw03/04) and (Fw05/06) ... The above policy is added into Fw05/06. Below is the config for BR and FOR for your reference. Need your extertise in this as the traffic is not reaching to firewall.

Please let me know what output required from these BR and FOR, i'll provide them to fix this issue

Kindly help in this regard.

BR#

router ospf 1

router-id 10.8.9.1

log-adjacency-changes

auto-cost reference-bandwidth 1000

area 0 authentication

passive-interface default

no passive-interface Port-channel2

no passive-interface Port-channel3

network 10.8.9.0 0.0.0.3 area 0

network 10.8.9.8 0.0.0.7 area 0

network 10.8.9.16 0.0.0.7 area 0

default-information originate metric 10 metric-type 1

!

router bgp 10753

no synchronization

bgp log-neighbor-changes

network 73.109.94.0 mask 255.255.255.0

network 73.109.101.0 mask 255.255.255.0

network 73.109.101.51 mask 255.255.255.255

network 73.109.101.52 mask 255.255.255.255

network 73.109.101.92 mask 255.255.255.192

neighbor 4.9.38.33 remote-as 356

neighbor 4.9.38.33 next-hop-self

neighbor 4.9.38.33 remove-private-as

neighbor 4.9.38.33 soft-reconfiguration inbound

neighbor 4.9.38.33 prefix-list level3-in in

neighbor 4.9.38.33 prefix-list level3-out out

neighbor 10.8.9.2 remote-as 1753

neighbor 10.8.9.2 next-hop-self

neighbor 10.50.25.41 remote-as 2870

neighbor 10.50.25.41 soft-reconfiguration inbound

neighbor 10.50.25.41 prefix-list N-CUSTOMER-IN in

neighbor 10.50.25.41 prefix-list S3_AND_S5 out

!

ip route 73.109.94.0 255.255.255.0 Null0

ip route 73.109.94.0 255.255.255.192 216.168.227.38

ip route 73.109.94.64 255.255.255.192 216.168.227.42

ip route 73.109.94.128 255.255.255.192 10.58.39.10

ip route 73.109.94.92 255.255.255.192 216.168.227.42

ip route 73.109.101.0 255.255.255.0 Null0

ip route 73.109.101.51 255.255.255.255 10.8.9.18

ip route 73.109.101.52 255.255.255.255 10.8.9.18

ip route 73.109.101.92 255.255.255.192 10.8.9.18

ip prefix-list N-CUSTOMER-IN seq 205 permit 73.109.96.128/25

ip prefix-list N-CUSTOMER-IN seq 207 permit 73.109.98.128/25

ip prefix-list N-CUSTOMER-IN seq 209 permit 73.109.100.128/25

ip prefix-list N-CUSTOMER-IN seq 211 permit 73.109.103.128/25

ip prefix-list N-CUSTOMER-IN seq 212 permit 73.109.95.128/25

ip prefix-list N-CUSTOMER-IN seq 213 permit 73.109.99.128/25

ip prefix-list S3_AND_S5 seq 5 permit 73.109.101.0/24

ip prefix-list S3_AND_S5 seq 15 permit 73.109.101.51/32

ip prefix-list S3_AND_S5 seq 16 permit 73.109.101.52/32

ip prefix-list S3_AND_S5 seq 20 permit 73.109.101.92/26

ip prefix-list S3_AND_S5 seq 25 permit 73.109.94.0/24

ip prefix-list DC-out seq 150 permit 73.109.101.0/24

!

interface TenGigabitEthernet6/4

description ISP-CONNECTION

ip address 4.9.38.34 255.255.255.252

ip access-group 101 in

no cdp enable

end

!

sh access-list 101 | inc 443

520 permit tcp any any eq 443 (55399 matches)

!

-------------------------------------------------------------------------------------------------------------------------------------------

FOR#

interface Vlan73

ip address 73.109.101.9 255.255.255.128

standby 73 ip 73.109.101.1

standby 73 priority 125

!

interface Vlan75

ip address 73.109.101.130 255.255.255.128

standby 75 ip 73.109.101.129

standby 75 priority 125

!

interface Port-channel3

description FW05/06 UNTRUST AGG1

no ip address

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 73,75

!

router ospf 1

router-id 10.8.7.9

log-adjacency-changes

auto-cost reference-bandwidth 1000

area 0 authentication

passive-interface Vlan11

passive-interface Vlan12

network 8.1.66.0 0.0.0.127 area 0

network 10.8.0.0 0.0.0.3 area 0

network 10.8.7.0 0.0.0.15 area 0

network 10.8.9.16 0.0.0.7 area 0

network 73.109.101.0 0.0.0.255 area 0

!

Thanks

-Ahmed

Jon Marshall · ‎10-12-2011

Ahmed

Can you post -

From the BOR -

1) sh ip route | include 73.109.101

2) sh ip bgp neigh 4.9.38.33 advertised routes | include 73.109.101

From the FOR -

1) sh ip opsf neigh

2) sh ip route | include 73.109.101

Jon

Jon Marshall · ‎10-12-2011

Ahmed

on BOR -

neighbor 4.9.38.33 prefix-list level3-out out

i'm assuming the ISP address is 4.9.8.33. If so can you post the prefix-list level3-out as you haven't included this in the config you posted.

Jon

wasmer_anne · ‎10-12-2011

Hello Ahmed,

I'm not sure here you'r doing nat, but on the BR, there's no static route to 73.109.101.80 besides the discard to Null0. As Jon pointed it, can you post the various sh ip route requested?

regards

Jon Marshall · ‎10-12-2011

Anne

Yes, this is a bit weird because i'm not sure what those specific /32 routes are doing. There is a /24 to Null0 for that network so it can be advertised via EBGP but the BOR should be receiving 2 x /25s for the same network from the FOR switch via OSPF and as these are longer prefixes they should override the Null0 route.

The /32s suggest something isn't workign quite right although it could be the prefix-list as well which i think has not been posted yet.

We'll wait and see i guess

Jon

wasmer_anne · ‎10-12-2011

Let's wait and see...

habeebuddin786 · ‎10-14-2011

Thank you so much for your response Jon, Anne i really appreciate your response.

I did figured it out, the traffic flow is in such a way that, if the request from internet hit to IP 73.109.101.80 from outside it should goes from BR to FOR then to FW and that FW has public IP 73.109.101.80 NATTED with VIP IP 10.10.10.80 and the firewall will pass the request to Core Router and then it passes to LB where the VIP recides 10.10.10.80 and then should pass to real servers. Those real servers has the default gateway pointing to LB and LB's default gateway pointing to Core switch but the core switch default gateway is pointing to backoffice router instead of firewall and response is passing through the backoffice router and from there nowhere. This is the production setup i don't know how they setup and I am the new engineer working on this setup. For testing i added static route on Coreswitch destined to my internet IP pointing to firewall as an exit and after that I am able to reach the IP from my machine to 73.109.101.80.

Therefore now I am in process of changing the default route on core switch pointing to firewall instead of backoffice router but before doing that I need to check what are all the traffic passing through backoofice router. It seems, through ACL logging I can identify what traffic sourcing from 10.10.10.0/24 network is passing towards backoffice.

Any suggestions how to confgure for acl logging on Backoffice router sourcing from 10.10.10.0/24.

I came with the below config:

ip access-list extended 10.10.10.0/24_subnet_sourcetraffic

permit ip 10.10.10.0 255.255.255.0 any log

is the above config correct to log the traffic?

thanks

Ahmed

Jon Marshall · ‎10-14-2011

Ahmed

If you are are logging acls on the 6500 then you need to use OAL (Optimised ACL Logging) or else all packets that are logged will done in software. See this link for details -

http://www.cisco.com/en/US/customer/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/acl.html#wp1084366

As for the default-route you need to be careful when changing it. Presumably it was setup for a reason so you need to be sure what it was set for. For example it may be that other networks use this default-route or it may be they don't want the default-route pointing to the firewall.

Jon

habeebuddin786 · ‎10-15-2011

Hi Jon,

Thank you for looking into this, I am looking to proceed with OAL to capture the traffic passing from BO-router. I have a question regarding OAL, will OAL capture all the TCP port traffic as well once its been configured, will it effect or break anything while configuring OAL. Curies since its a production network. Yes I want to take precautions while waying it off default route pointing to some other router. Its one of the project in my list that need to be completed this month before holidays start.

Its a long story that default route is pointing to different router.
Here I'll try to explain or give you a little bit background. We have different products running in datacenter and have different SILO's (Small infrastructure which is seperate from each silo's) for different products.

The one which i was talking about in the above thread was SILO-A Core router which has default route pointing to CORE-SILOB and these SILO-A and SILO-B has connectivity through BO-router. Attaching the config for your reference. SILO-B was built first before SILO-A. earlier engineer 2 years back has setup the silo-A and for outbound connections from silo-A servers has routed from SILO-B for testing purpose but he left in between and the other engineers has setup the production traffic in the same way and now that SILO-B is waving off soon and now we need to bring back the outbound connection from SILO-B to Silo-A as well.

Hope i tried to explain clearly.

Based on the config attached will the below config of OAL will help in tracking what are all the IPs the traffic is passing through the CORE-SILOA to Core-SILOB through BO-Router.

I think the best to logging the traffic is on BO-router interface which has the connectivity to SILO-A core router.

Much appreciate your help and guidance in this regard:

R-BO#interface Port-channel1
description R-BO <-> Core-SILOA

logging ip access-list cache in

logging ip access-list cache out

--------------------------------------OR (I found another ACL loggin config)-------------------------------

l

R-BO#config t

logging buffered 15000 (this creates a large enough buffer to look at locally on the router,or you can configure the router to log the ACL matches to a Syslog server).

access-list 101 permit tcp any gt 0 any gt 0 log

access-list 101 permit udp any gt 0 any gt 0 log

access-list 101 permit icmp any any

access-list 101 permit ip any any log

interface Port-channel1

description R-BO <-> Core-SILOA

ip access-group 101 in

Let me know what you think about the two configs, which one you suggest me to go with. I hope both config will not effect any production network or break anything

Thank you,

Ahmed

habeebuddin786 · ‎10-15-2011

forget to attach the config file, please see with this one.