Sep 22, 2010

The gateway address is wrong, but I have access to the Internet. Why?

In order to reach unknown networks, a host needs to use a gateway to forward the traffic. The gateway is some device connected to the local network and at least one external network. That device should be able to route packets, then it can forward the traffic to reach unknown destinations. Ok, we know that. What's the big news?

Is it possible to reach the Internet whether the gateway address is wrong? Yes. Maybe. I will demonstrate how, using the following scenario:

Device addresses:

asa# show ip address | begin Current
Current IP Addresses:
Interface   Name     IP address     Subnet mask    Method
Ethernet0   outside  manual
Ethernet1   inside  manual

ISP#show ip interface brief
Interface        IP-Address     OK?  Method Status Protocol
FastEthernet0/0  YES  manual up     up
FastEthernet0/1    YES  manual up     up 

While configuring the firewall policy, the administrator made a typo and set the gateway address wrongly:

asa# show route | i Gateway
Gateway of last resort is to network

Let's try to ping some Internet destination, then check what happens:

asa# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/126/127 ms

Since is not member of the local network, the firewall needs to use the gateway. It already knows the gateway IP address, but needs the MAC address to build the ethernet header:
asa# show debug
debug arp enabled at level 1
arp-req: generating request for at interface outside
arp-send: arp request built from 00aa.00c1.fa00 for at 14925090
arp-in: response at outside from cc00.0f08.0000 for 00aa.00c1.fa00
arp-set: added arp outside cc00.0f08.0000 and updating NPs at 14925130
arp-in: resp from for on outside at 14925130
arp-send: sending all saved block to outside at 14925130

ISP#show debug
  ARP packet debugging is on
*Sep 22 14:20:00.394: IP ARP: rcvd req src 00aa.00c1.fa00, dst FastEthernet0/0
*Sep 22 14:20:00.398: IP ARP: sent rep src cc00.0f08.0000, dst 00aa.00c1.fa00 FastEthernet0/0

The debug outputs above show the ISP router performing proxy ARP. Then the firewall gets the correct gateway MAC address, even when the IP address is wrong. Therefore it can forward traffic to the gateway, since it is a layer-2 communication, and we have connectivity to the Internet.

asa(config)# end
asa# wr mem

No comments:

Post a Comment