Debugging Help

dan_track · ‎11-02-2006

Hi

I'm having problem pinging a server through our pix 515e firewall. What I would like to do is see where the packets are going after they enter firewall, i.e what is the next hop? How can I do that?

Thanks

Dan

a.kiprawih · ‎11-02-2006

To allow ping to successfully pass through firewall, you need to either allow ICMP via ACL, or if the pinging machine ping from internet/outside segment, you need to map your server to a public IP and include/allow ICMP in your ACL applied on intside interface.

As for routing, if the server sits behind another L3 device like router/L3 switch, you need to tell firewall where/how to route to reach them.

BTW, what's your firewall config related to the server (static map), ACL and routing looks like?

HTH

AK

dan_track · ‎11-02-2006

Hi

Thanks for your input. However I'm trying to debug at the moment and really need debugging help as opposed to pix configuration help.

Thanks

Dan

jaffer_sathik2010 · ‎11-03-2006

Hi Dan ,

I assume that your topology is similar to this one

(system)------(PIX515E)------(server)

In PIX enable the following two debug commands

PIX(config)#debug icmp trace

PIX(config)#logging on.

If you want to view the debug messages through the 'telnet' session . configured the 'telnet monitor' command also.

After that from the system use 'tracert' command

C:/>tracert .

It will show you the roure path .

I hope this will help

a.kiprawih · ‎11-03-2006

If you try to just ping and issue the 'debug icmp trace' command, I believed in the log you'll see something like deny icmp by xxx ACL on the YYY interface.

There're other related options you can do to get more info, i.e using ACL, enable/disable ip audit (IDS feature).

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00805521b6.html

HTH

AK