FINAL SUMMARY: technical routing question on Solaris 10

From: Adam Levin <levins_at_westnet.com>
Date: Wed Nov 30 2005 - 16:53:37 EST
Hey all.

Thanks again for all the help.

I wanted to send a final summary, now that we've actually solved the 
problem.

If you recall, we have a network with 4 VLANs (web, app, mgt and nas).  We 
have machines on the app layer that need to get out to the Internet for a 
specific function.  We set up a static route for each Internet host going 
through a firewall doing reverse NAT on our end.

Once we got through the CKI issues of copy-and-pasting the wrong server's 
IPs and traceroutes (sorry 'bout that), we finally solved the problem.

First, the helpful advice to use snoop -V port 80 instead of tcpdump 
helped, in that I saw the traffic leaving.  When I used snoop -v to show 
me layer 2 information, the destination MAC was the firewall/gateway in 
question, so the packets were happily leaving my machine after all and 
arriving at the firewall.

It turns out that the firewall was dropping packets.  The problem was that 
the Cisco FWSM (firewall service module) has the ability to do contexts, 
similar to Solaris 10 containers or virtual servers.  We had a context 
configured in preparation for having a DS3 link from our office to our 
data center for management.  Our network guy set up an *additional* 
context for the new reverse-NAT out to the Internet connection, *also on 
the mgt VLAN*.

When packets came in to the firewall/gateway on the mgt vlan, therefore, 
the FWSM didn't know which context should apply, and like a good little 
security device, dropped the packets rather than mistakenly allow 
something bad through.  This is documented, albeit rather confusingly, in 
the FWSM documentation.

By disabling the DS3 context, and eventually reconfiguring both contexts 
into one, the network guy solved the problem of allowing the packets out, 
and we can now get to where we need to go.

Take care,
-Adam
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Nov 30 16:54:10 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:53 EST