While troubleshooting an issue today I ran into something I havent seen before.
I have a client in a remote subnet, traffic passes through a Cisco ASA 5510, then on to the server.
Capturing at both ends, we were missing some packets at the server side, and the client was recieving packets we never sent.
Issue was resolved by disabling ‘skinny’ inspection. However, I noticed when I compared captures that the sequence and acknowledgement numbers were different on each capture. The Cisco ASA is changing the sequence numbers. They ingress with one sequnce number then egress with a completely different number. return packets are graciously remangled back to the number the recipient is expecting. When I first saw this, it appeared to be a spooffing/man in the middle attack, but then I found it was my firewall.
I thought a firewall just forwards packets after inspection, has anyone ever noticed this behaviour?