Troubleshooting Security Implementations - Internetworking Troubleshooting

Information Technology Reference

In-Depth Information

Finding the Real Problem

The PIX is the gateway to the Internet for the network and is normally blamed for problems that occur

when a user cannot get out to the Internet. Although the PIX might be the problem, there are many other

elements involved that might be causing the problem. Here you will find a list of other areas that could

be causing the problem with a quick checklist.

•

User's host machine

-

Can the host machine ping to anything else on the inside network?

-

Is the proper default gateway assigned?

-

Can the host machine ping the inside interface of the PIX?

•

Protected inside router

-

Can the router ping the inside interface of the PIX?

-

Can the router ping the user's host?

-

Can the router get to anything on the external network?

• PIX

- Can the PIX ping the outside router?

- Can the PIX get to an external site past the outside router?

- IS the host's address defined in the nat command?

- Are there enough addresses defined in the global pool for all the internal hosts?

• Unprotected outside router

- Can the outside router get to the Internet?

- Does the outside router see packets coming from the PIX?

As you can see, many other factors are involved when troubleshooting the PIX Firewall.

debug Commands

The following commands are helpful when debugging the PIX Firewall.

•

show debug —Used to display what debugging is turned on.

•

show debug

•

debug icmp trace off

•

debug packet off

•

debug sqlnet off

•

debug icmp trace —When a host is ping ed through the PIX Firewall from any interface, trace

output displays on the console. The following example shows a successful ping from an external

host (192.150.50.42) to the PIX Firewall's outside interface (200.200.200.1).

router# debug icmp trace

Inbound ICMP echo reply (len 32 id 1 seq 256) 192.150.50.1 > 192.150.50.42

Outbound ICMP echo request (len 32 id 1 seq 512) 192.150.50.42 > 192.150.50.1

Inbound ICMP echo reply (len 32 id 1 seq 512) 192.150.50.1 > 192.150.50.42

Outbound ICMP echo request (len 32 id 1 seq 768) 192.150.50.42 > 192.150.50.1

Inbound ICMP echo reply (len 32 id 1 seq 768) 192.150.50.1 > 192.150.50.42

Outbound ICMP echo request (len 32 id 1 seq 1024) 192.150.50.42 > 192.150.50.1

Inbound ICMP echo reply (len 32 id 1 seq 1024) 192.150.50.1 > 192.150.50.42

Internetworking Troubleshooting

Search WWH ::

Custom Search

Home