Two Firewalls in series and Packet Capture

Two Firewalls in series, SonicWall on WAN side and ASUS behind the SonicWall.
I have the above setup where the Sonicwall provides a LAN address of 192.168.168.XXX to a ASUS  firewall provides my actual devices (PCs etc) with 10.0.0.XXX LAN
All works just the way I need and want it to, please do not offer any config changes
.
QUESTION  Since the 10.xxxxx LAN is essentially a Translated 192.xxxxx address CAN anyone tell me how to configure my SonicWall Packet Capture screen to see the translated PC IPs ?
Note:  I only see 192.168.x.x in a Global Packet Capture and suspect that it may be that the asus knows that 10.0.0.5 is translating to 192.168.168.65  but I am not yet convinced.
azpeteAsked:
Who is Participating?
 
Joseph HornseyPresident and JanitorCommented:
That's what I thought.

The whole point of a firewall is to separate one network from another.  NAT is a critical part of that as it keeps internal addresses from ever being exposed to the external networks.  The SonicWall will only see the IP Address of the outside interface of the ASUS; it will never see any of the addresses behind the ASUS.

Now, you can still do packet captures, etc. on the SonicWall to determine what's going through that firewall, but it won't capture packets to let you know what's happening on the ASUS.

To get a full picture, you'll have to run captures on both and then cross-reference.
0
 
Joseph HornseyPresident and JanitorCommented:
Off the top of my head, I don't think you can.

The SW firewall never sees those internal addresses - that's kind of the whole point of NAT and firewalls.  So, it has no way of doing a translation.

The only box that will be able to capture packets like that is the ASUS.

To clarify - The ASUS box is the one that does the translations from 10.x.y.z to 192.168.168.z.  Therefore, it maintains the translation tables.  The SW has no way of reading those tables, so it has no way of knowing which internal address is being represented by the DMZ address.
0
 
Blue Street TechLast KnightCommented:
Hi azpete,

I really think you should change this configuration immediately! LOL

You can packet capture through NAT or double NAT in your scenario so there is nothing special...use the Packet Capture within the SonicWALL as you normally would...if you want to filter on Source IP, Destination IP, etc. do so as you normally would.

Note:  I only see 192.168.x.x in a Global Packet Capture and suspect that it may be that the asus knows that 10.0.0.5 is translating to 192.168.168.65  but I am not yet convinced.
Yes, you handle it in the same manner if there were only one firewall...you wouldn't even think about the NAT translations but rather the Source IP/s and/or port/s, and the Destination IP/s and/or port/s, etc. All the devices downstream will go through the SonicWALL regardless!

Does that make sense? Let me know if you have any other questions!
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
Joseph HornseyPresident and JanitorCommented:
Maybe I misunderstood your question....

Are you asking if you can see the 10.x.y.z addresses from the SonicWall when you do your packet captures?
0
 
azpeteAuthor Commented:
Joseph, yes, I AM asking if I can see the 10.x.y.z addresses from the SonicWall when I do a packet capture.
0
 
azpeteAuthor Commented:
When I do a Capture EVERYTHING on the SonicWall all I see is ONE "Lan"  IP on the sonicwall ( which is the "wan" address  of the ASUS)
this actually makes perfect sense .  Then I thought - hey I know the MAC addresses of everything on the LAN.  BUT the Sonicwall Packet capture does not appear to have a MAC field to capture
0
 
Joseph HornseyPresident and JanitorCommented:
Yeah.... MAC addresses are L2, so they're not passed between network segments
0
 
Joseph HornseyPresident and JanitorCommented:
I fully answered the question and follow ups.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.