Information Technology Reference
In-Depth Information
b.
The default route or static route on the inside router. Make sure that the inside router is configured
to route the traffic both ways.
•
PIX cannot
ping
user's system. If not on the same network, check the internal router. If the PIX can
ping
the internal router but not beyond, make sure that the PIX knows how to get to that subnet.
a.
Check the default inside route on the PIX. In the following example, the default route would be
100.100.100.2.
Route inside 0.0.0.0 0.0.0.0 100.100.100.2 1
Route inside 0.0.0.0 0.0.0.0 100.100.100.2 1
b.
Check the routing table on the inside router to make sure that the inside router knows how to
properly route the packets.
Step 2
On the PIX, turn on
debug icmp trace
.
•
Allow ICMP traffic through the PIX. To do this enter the following command:
conduit permit icmp any any
Use of the
debug packet
command on a PIX Firewall experiencing a heavy load
may result in the output displaying so fast that it may be impossible to stop the
output by entering the
no debug packet
command from the console. You can enter
the
no debug packet
command from a Telnet session.
Note
Next find out if the user's system has a translated address. To do this, use the following command:
•
show xlate local
ip_address
If there is a translated address, you will need to clear the address. Use the following command:
•
clear xlate local
ip_address
Try to access a web site from the user's system.
Step 3
Check the translation table to make sure that a translation was built for the user's system. Refer to the
command in Step 2.
Step 4
If there was no translation built, have the user's system try to
ping
an outside system, and then watch
the output from the
debug
command. If you do not see any output, then the packet is not making it to
the PIX. If the packet is making it to the PIX, then check the syslog output and check to make sure that
there are enough addresses in the global command. Verify that the user's address is included in the
nat
command addresses. Check other items between the PIX and the user's system. Confirm that there is a
valid default route.
Step 5
If there was a translation built, turn on debugging of the packet, and see if the packet is traveling through
the PIX.
Step 6
If the packet goes out but you do not get a return, then the outside router does not know how to return
the traffic. Check the routing table on the outside router.
Step 7
External Users Cannot Access an Internal System (Web Server, Mail Server)
The following six steps provide a practical approach to troubleshooting common problems associated
with external users having difficulty accessing a company's internet/mail servers.
