Information Technology Reference
In-Depth Information
Troubleshooting Techniques
Table 25-3 suggests what actions to take when presented with the two most common Pix firewall
connectivity problems.
Table25-3 Troubleshooting Techniques
Symptom
Possible Problem
Suggested Actions
The internal host
cannot access a
host on the
Internet.
The Network Translation Table
does not include the network
that the host is on.
Make sure that the NAT
command includes the network
the host is on. For example:
Host address
171.68.101.1 nat
(inside,outside) 1
171.68.0.0 255.255.0.0
There are no more addresses in
the global statement to handle
the number of internal hosts.
Make sure that there are
sufficient global addresses for
all the internal hosts.
global (outside) 1
200.200.200.2-200.200.2
00.250
Or, use port address translation
(PAT):
global (outside) 1
200.200.200.2-200.200.2
00.2
The host's default gateway is
not set to the proper address.
If the host is on the same
network as the PIX, it must have
the PIX's inside interface for its
default gateway.
The router on the outside of the
PIX does not know how to route
the addresses that you have
defined in the
global
pool back
to the PIX.
This is normally caused by
using addresses in the
global
pool definition that are on a
different network than the
outside interface of the PIX.
Have a static route for those
global
addresses put on the
outside router.
The PIX was recently changed
or replaced, and the ARP table
on the outside router has not
cleared yet.
Use the
clear arp
command on
the outside router.
The host's default gateway is
not set to the proper address.
Check the default gateway on
the user's host.
