Traffic Being Lost Between Firewall and VMWare VM

inTheKnowSea
inTheKnowSea used Ask the Experts™
on
I am setting up our infrastructure to enable remote phones on a new phone system we installed. The phone vendor requirements were fairly simple, port forward UDP 443 to a device on our DMZ(the virtual machine). Easy, or so I thought.



Everything looks good from the Firewall end. If I plug in the phone, I can see the traffic hit the firewall, and be forwarded to the device lets say is 11.11.11.11. No issues I can see from the firewall end. It's a Barracuda NG F280, I have gone over it over and over with Barracuda support and they see nothing from their end.



The issue is that traffic never hits 11.11.11.11. I have set up a monitoring VM on my DMZ with wireshark, never see the traffic. The VM has a packet monitor built in so I can create packet captures on the interface directly, never see the traffic. If I run a netcat cmd for UDP 443, I see nothing. I see other traffic. If I ping 11.11.11.11 from anywhere else on the network, I see it. There is nothing between this device and the Firewall, except the VMWare hypervisor.



I am at a loss at this point. My Firewall vendor says it isn't on their end, my phone vendor says it isn't on theirs. I believe that to be the truth, but I don't know what else it could be. Does anyone have any ideas? Only thing I can think of is something in VMWare, but I have never seen VMWare block traffic like that before.

Some more info:

Seems localized in some way to port number. If I change my forwarding rule to port 3300 instead of 443, and send a UDP packet over 3300, it gets there fine.
I tried forwarding 3389, and it works. I can RDP over the internet with this setup.
The Firewall is my only L3 device
I have a web filter on site that I have disabled for the time being
I can ping the 11.11.11.11 device from anywhere else on my network
I set up another device on the 11.11.11.0/24 network, and UDP 443 traffic does not hit that either
The gateway for the device is correct
Windows Firewall turned off on my testing VM
Phone vendor is involved, they just take a packet capture of the 11.11.11.11 interface, see no UDP 443 traffic and blame the Firewall
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Is the public address you are forwardinf through shared or dedicated just to this device. Could the firewall be forwarding to another ip?

Author

Commented:
The IP is dedicated, it only services this device. I can verify the firewall rule on the inbound traffic that it is forwarding to the correct IP.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Ok secondly, does the firewall have a route to the internal device?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Yes a route is on the firewall and fully functioning.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Is this same firewall NATTING for other devices successfully?

Author

Commented:
Yes, the firewall works in all other cases. In fact, if I change the specific rule that isn't working to forward 3389(TCP) instead of 443 UDP, RDP works fine. It seems very specific to specific ports. I have tried 443 and 445, neither work, but 3300(UDP) and 3389(TCP) work fine. This is just changing the port settings on this specific firewall rule, nothing else.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Man, this is really strange. I am at a lost. Hopefully another expert can chime in on this one.
I eventually figured this out. A web filter on the network that was disabled was still filtering traffic... for whatever reason.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Glad you figured it out. I knew it didn't make sense. That explains it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial