Hello all. Recently I tried to replace a Cisco 891-W with a SonicWALL TZ300-W. Nearly everything is working great, sans one function. My client is a small financial organization that has to connect to another's green screen mainframe via terminal emulator. There is no site-to-site tunnel, but instead, they are simply doing an IP based ACL. The TZ300 has the same external IP as the 891-W did, but the terminal emulators cannot connect. Here are the details:
• There is an any-any between the LAN zone and the WAN host for the mainframes so no access rules are blocking it. In fact there are no rules on egress or ingress that are blocking any packet flow whatsoever between both sides.
• I switched the TZ300 to SPI, but no changes.
• I ran a packet capture. I'm not very well versed in packet analysis, but looking at it shows me the TCP session was flagged with 0x014. However, I'm not sure what to do with this information. Some insight here would be helpful.
• I did a TCP traceroute from the PC running the terminal emulator to confirm the routing path, and I noticed something weird. On the 891-W, the 1st hop is the 891-W's local IP, then directly to the green screen. On the TZ300, however, the route is a standard set of ISP hops before ultimately timing out past the 4th hop. I have the runnign config of the 891-W. I'm guessing there's some kind of policy based routing, but all I'm seeing is the following custom NAT rule:
route-map toNAT permit 10
match ip address 189
set ip next-hop 172.16.1.2
This route-map is assigned to the interface providing the uplink to the router (IPs and hashes changed/deleted for privacy):
interface FastEthernet8
description placeholder
ip address 216.292.144.210 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip policy route-map toNAT
duplex auto
speed auto
crypto map VPNmap
I'm looking at that and I see the match ip address 189 but I'm not sure what that means. There is an ACL labeled as 189:
access-list 189 permit ip 192.168.47.0 0.0.0.255 host 13.206.32.209
However, what's confusing me is how and why the policy would be routing to 172.16.x.x? AFAIK, this is a private IP subnet. I can provide the full running config, albeit censored, in a PM.
Thanks for any and all help! I'm mostly a systems guy, but I'm definitely taking this as a wake up call to get my knowedge base up to par with my higher levels of responsibility.
No comments:
Post a Comment