Need help! Specific subnet cannot access my internal resource

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need help! Specific subnet cannot access my internal resource

L3 Networker

Hi Team,

 

I just need an advise. 

 

I have this setup as attached but I have this mystery that's been bugging me for days now. There is only one subnet which cannot access my internal resource.

I ran the filter and global counter and there are specific counters I noticed.

renzanjo11_0-1701938769587.png

 

Can someone enlighten me on this?

 

Regards,

Renz

 

8 REPLIES 8

Community Team Member

Hi @renzanjo11 ,

 

You might be experiencing this issue:
Packets Dropped: Forwarded to a Different Zone 

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L2 Linker

you need to check on the monitor traffic logs and which policy it is hitting most probably its not hitting the correct policy.

Zain

L3 Networker

Hi everyone!

 

Thank you very much for all of the suggestions.

 

I am pretty sure it's hitting the correct policy and NAT rules. I tried clearing the sessions but still no good.

I'm really confused what here I am doing wrong. I am so used to NAT and policies but this time I'm dropping.

 

I can give you a glimpse of the logs I got.

 

Regards,

Renz

from the traffic logs you can see the application is incomplete, please take a packet capture from the monitor tab and when you initiate the traffic run the below command(run this command 3-5 times):
filter should be source: 111.223.89.115  dst: 116.12.174.226 and vice versa 
show counter global filter packet-filter yes delta yes


 

from this command you check what firewall is doing to the traffic 

 

Zain

L3 Networker

@msyeedrafiqi Hi ! 

 

Thank you very much! 

 

I am just curious, shouldn't I use the translated server address? Or for this case I should ignore it first?

 

Regards,

Renz

L2 Linker

You are correct. the correct filter would be your private client ip and public destination IP
2- your natted Ip and the destination IP
3- destination IP and private IP
4- Destination - your public IP

Zain

L3 Networker

Hi @msyeedrafiqi ,

 

Are these packet filter indexes? 

2- your natted Ip and the destination IP
3- destination IP and private IP
4- Destination - your public IP

 

Regards,

Renz

L2 Linker

On the firewall packet capture we can only have 4 max filters. 
The first filter would be Private Ip and Destination IP
Second would be vice versa
Third would be Natted IP and Destination IP

Fourth Vice versa

Zain
  • 2669 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!