Home > Uncategorized > Cisco: How ‘Bout I route my fist into your face, Bloomberg Trade Feed?!

Cisco: How ‘Bout I route my fist into your face, Bloomberg Trade Feed?!

So, this trade feed piece, used by one of my clients, was working. Then it broke. What broke? No one knows; and at this point, no one cares.

So it’s pretty simple what I need to do: survey the area, and get a static route going in the routing piece, which happens to be a PIX.
Well, the interface that the Bloomberg routers (failover) are on (that contains a single subnet (no VLANs)) was already NATed. In fact, traffic is flowing from one of the other subnets to the Bloomberg router. Wait… that subnet is on the PIX, it’s not a VLAN like the subnet that the server that needs access to Trade Feed is on.
But still, the servers can get through the PIX to the internet. And the Servers are inbound an interface with a security level of 100, and the Bloomberg routers are on an interface with a security level of 20. No need for an ACL, and there’s a NAT PATing, which Bloomberg likes because they can secure their router like a.. like a… like a NYSE entrance.
The route is there, on the PIX, where the other routes (including default route) are. But, the hosts can’t see the route. A static route on the host doesn’t work, because the gateway isn’t on the same subnet.

Listen here, Server, use that gateway. Use it.

Happy Valentine’s day.

Update
I’ve given in and called CiscoTAC. I could’ve used the PDM, but that’s cheating. I’d rather call CiscoTAC. C’mon, Juan, at Cisco HQ, let’s do this.

Update 2

It was good to find out that my knowledge of firewalls is proper. It turns out that the route is working fine. In order to prove this to Bloomberg, put the ball back in their court, ICMP echo-replies were enabled (via ACL) in bound on the interface facing their router, then we pinged the Bloomberg Trade Feed server successfully; then captured the server trade feed application starting a TCP session with their server, then disconnecting. Figuring that the application started a session on the port provided to the client, then the server comes back with another port and creates another session, any IP packets from the interface facing the Bloomberg router with a dest of anything on the CIDR subnet that is the client’s network, is allowed via ACL. “What’s that?” you say? “a CIDR network on a network that has how many hosts?” About 60 hosts. Yes, the people who developed the network decided that they would use a 22 bit CIDR network. That’s right! 1,024 hosts available; 60 hosts present. ^wtf

Who does that?!

This still did not function. However, capturing this SYN ACK FIN conversation and providing it to Bloomberg now puts the issue on them.

/me dusts off hands, regains sanity.


Reference:
ASA/PIX : Handling ICMP Pings and Traceroute
capture
route
Using NAT and PAT Statements on the Cisco Secure PIX Firewall

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: