Advertisment: Broadband via satellite
Advertisment: Worldwide satellite services from Ground Control Company

www.satsig.net

Satellite Internet Forum.

Welcome, Guest.        Forum rules.
      Home            Login            Register          
Pages: 1

i-Connex-100 and NAT

(Read 3821 times)
athomasd
Member
★★
Offline



Posts: 8
Mar 19th, 2009 at 10:04pm  
Hello there,

I'm using a SWE-DISH iPT with an integrated  i-Connex 100 modem.  My service provider is giving me a whole /28 of public IPs, so I have the lan interface plugged directly into my Cisco ASA 5540.

The outside interface of my firewall is directly connected to the iDirect modem, and I'm using the interface for general NAT translations.  (Global nat interface)  I have several clients that I want static translations for, so I've configured several statics.

My problem is this.  I can't get IP traffic to pass on any ip other than the firewall interface.  For example, I changed my global nat from interface to the third usable ip on the subnet and the translations stop working.  I change the firewall outside interface to the very same IP that wasn't working, and everything runs like a champ.

When I telnet to the modem and use the "spoof debug on" command I see the following for the connections that don't work"

New transmit CID: 419, (base 419)
Spoof session created (lclpkt), 17 exist
x.x.3.45.3671 --> 64.191.203.30.80
Spoof rx remote packet, session with cid 2814 not found
Associating rx cid 2814 with Session:
x.x.3.45.3671 --> 64.191.203.30.80

and a while later, this shows up..

SpoofSession: killing session because retry limit reached m_Va=3352089621, m_Ns=3352089622, m_retx.size=1
SpoofMgr:ProcessSessionTimeout syn idle expires

Good connections happen like this:

New transmit CID: 555, (base 555)
Spoof session created (lclpkt), 6 exist
x.x.3.34.2510 --> 64.191.203.30.80
Spoof rx remote packet, session with cid 2922 not found
Associating rx cid 2922 with Session:
x.x.3.34.2510 --> 64.191.203.30.80

...
SPOOF FIN: tx FIN from local to remote (1395884124)
x.x.3.34.2510 --> 64.191.203.30.80
SPOOF FIN: rx FIN ack from remote (1395884124)
x.x.3.34.2510 --> 64.191.203.30.80
SPOOF FIN: tx FIN from remote to local (123458)
x.x.3.34.2510 --> 64.191.203.30.80
SPOOF FIN: tx FIN ack from local to remote (123458)
x.x.3.34.2510 --> 64.191.203.30.80

Spoof Session Dead:
x.x.3.34.2510 --> 64.191.203.30.80
Unlink rxCID: 2922
Unlink transmit CID: 555


So it looks like to me that it's a syn timeout problem.  I'm not convinced that the traffic is actually passing through the modem onto the sat link because the nat clients that don't work can't even ping the gateway.

Does anyone else have any other debugging tools that I could use to figure this out?  Any way to get a tcp dump of the traffic that's crossing the sat0 interface?

Could the spoofing config be breaking this?  Any help would be greatly appreciated.

Andrew



Back to top
 
 
IP Logged
 
Ex Member
Ex Member


Reply #1 - Mar 20th, 2009 at 11:11am  
Has your provider enabled your systems options file to move NAT off of the iDirect?

As for tcp dumping a particular interface, if you are an Hub Operator and have access to the RHEL PPs, tcpdumping a particular host/interface is quite possible (from the PPs).

I would get your ISP involved....if anything to make sure you are properly config'ed and if you need something dump they can help you there as well.

Back to top
 
 
IP Logged
 
athomasd
Member
★★
Offline



Posts: 8
Reply #2 - Mar 20th, 2009 at 4:08pm  
Thanks for the tips, Mike.  I decided to get a 3750 switch out and connect the iDirect to some clients in a vlan. Everything worked like a champ.  This could be some sort of ARP problem with the ASA.  I'm about connect the firewall to the same switch, so I'll let you know how that turns out.

Andrew
Back to top
 
 
IP Logged
 
athomasd
Member
★★
Offline



Posts: 8
Reply #3 - Mar 23rd, 2009 at 3:54pm  
I love these problems!  Oddly enough, when I reconnected everything and rebooted the modem and ASA, everything started working.  I can't really explain, so I guess it's one of those ghost in the box problems.

Back to top
 
 
IP Logged
 
Ex Member
Ex Member


Reply #4 - Mar 23rd, 2009 at 4:26pm  
Glad to hear you are chasing ghosts!  I think we have all experienced that....
Back to top
 
 
IP Logged
 
Pages: 1