Information Technology Reference
In-Depth Information
Step 1
The first step in this type of debugging is to allow
ping
s from the external source for testing purposes.
Use this command:
conduit permit icmp any any
Step 2
Next turn on
debug icmp trace
.
Use of the
debug packet
command on a PIX Firewall experiencing a heavy load may result
in the output displaying so fast that it may be impossible to stop the output by entering the
no debug packet
command from the console. You can enter the
no debug packet
command from a Telnet session.
Note
Have an external site try to
ping
the internal system via the translated address. For example, if your web
server has an internal address of 10.10.10.1 and a translated address of 200.200.200.1, have the external
site
ping
the 200.200.200.1 address.
Step 3
If you do not see the packets on the PIX, check the external router to ensure that they are making it to
there. If they are, then check the routing table on the external router to make sure that the router knows
how to route the packet. If the routing tables are correct, then check the ARP table on the router to make
sure that it has the proper MAC address for the packet. It should be the same as the PIX's external MAC
address.
Step 4
Check the static and conduit statements in the configuration on the PIX for the server in question, and
ensure that they are correct. You can also check by the following two commands:
Step 5
show static
—This will show all the static addresses currently assigned.
-
show conduit
—This will show all the conduits that are currently applied.
-
If the packet goes through, then have the external site try to get to the server again. This time, use port
80 (web browsing). If the external user cannot get to the server, check the log for their address. Check
to see if the address is getting denied.
Step 6
