Two Firewalls in series and Packet Capture

Two Firewalls in series, SonicWall on WAN side and ASUS behind the SonicWall.
I have the above setup where the Sonicwall provides a LAN address of 192.168.168.XXX to a ASUS  firewall provides my actual devices (PCs etc) with 10.0.0.XXX LAN
All works just the way I need and want it to, please do not offer any config changes
.
QUESTION  Since the 10.xxxxx LAN is essentially a Translated 192.xxxxx address CAN anyone tell me how to configure my SonicWall Packet Capture screen to see the translated PC IPs ?
Note:  I only see 192.168.x.x in a Global Packet Capture and suspect that it may be that the asus knows that 10.0.0.5 is translating to 192.168.168.65  but I am not yet convinced.
azpeteAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph HornseyPresident and JanitorCommented:
Off the top of my head, I don't think you can.

The SW firewall never sees those internal addresses - that's kind of the whole point of NAT and firewalls.  So, it has no way of doing a translation.

The only box that will be able to capture packets like that is the ASUS.

To clarify - The ASUS box is the one that does the translations from 10.x.y.z to 192.168.168.z.  Therefore, it maintains the translation tables.  The SW has no way of reading those tables, so it has no way of knowing which internal address is being represented by the DMZ address.
0
Blue Street TechLast KnightCommented:
Hi azpete,

I really think you should change this configuration immediately! LOL

You can packet capture through NAT or double NAT in your scenario so there is nothing special...use the Packet Capture within the SonicWALL as you normally would...if you want to filter on Source IP, Destination IP, etc. do so as you normally would.

Note:  I only see 192.168.x.x in a Global Packet Capture and suspect that it may be that the asus knows that 10.0.0.5 is translating to 192.168.168.65  but I am not yet convinced.
Yes, you handle it in the same manner if there were only one firewall...you wouldn't even think about the NAT translations but rather the Source IP/s and/or port/s, and the Destination IP/s and/or port/s, etc. All the devices downstream will go through the SonicWALL regardless!

Does that make sense? Let me know if you have any other questions!
0
Joseph HornseyPresident and JanitorCommented:
Maybe I misunderstood your question....

Are you asking if you can see the 10.x.y.z addresses from the SonicWall when you do your packet captures?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

azpeteAuthor Commented:
Joseph, yes, I AM asking if I can see the 10.x.y.z addresses from the SonicWall when I do a packet capture.
0
Joseph HornseyPresident and JanitorCommented:
That's what I thought.

The whole point of a firewall is to separate one network from another.  NAT is a critical part of that as it keeps internal addresses from ever being exposed to the external networks.  The SonicWall will only see the IP Address of the outside interface of the ASUS; it will never see any of the addresses behind the ASUS.

Now, you can still do packet captures, etc. on the SonicWall to determine what's going through that firewall, but it won't capture packets to let you know what's happening on the ASUS.

To get a full picture, you'll have to run captures on both and then cross-reference.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
azpeteAuthor Commented:
When I do a Capture EVERYTHING on the SonicWall all I see is ONE "Lan"  IP on the sonicwall ( which is the "wan" address  of the ASUS)
this actually makes perfect sense .  Then I thought - hey I know the MAC addresses of everything on the LAN.  BUT the Sonicwall Packet capture does not appear to have a MAC field to capture
0
Joseph HornseyPresident and JanitorCommented:
Yeah.... MAC addresses are L2, so they're not passed between network segments
0
Joseph HornseyPresident and JanitorCommented:
I fully answered the question and follow ups.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.