debug application_protocol

The debug icmp trace command output shows enough details of the ingress, egress, source, destination IP/port, and the protocol information which can be used to define the packet flow.

Note

You can turn off all debugs globally on the PIX firewall by issuing the no debug all or undebug all (u all is the short form) command.


debug application_protocol

To troubleshoot any application-specific issues, for example, Session Initiation Protocol (SIP) across the PIX firewall, you may run the debug for the corresponding protocol. For instance, to troubleshoot the issue pertaining to Media Gateway Control Protocol (MGCP) for voice over IP (VoIP) traffic between a phone and Call Manager, run the debug mgcp command.

debug pix process

To debug NAT within the payload of the packet, run debug pix process to see if the NAT is working correctly. For instance, if there is NAT in for MGCP, debug mgcp will not show the NAT details from the payload. For the NAT details, you must run debug pix process.

debug fixup tcp | udp

Use this command to find any inspection-related issue of a protocol. For example, to debug a problem with an FTP connection, you might need to run debug fixup tcp, which shows the FTP connection-related issue.

capture Command

The capture command (introduced in Version 6.2) allows for sniffing the packet hits at the interface of the PIX firewall. The command debug packet is deprecated by this capture command. The capture command must be executed from the enable mode (not the configuration mode), and optionally, you can configure an access-list to define the interesting traffic. Traffic can be captured both before and after it passes through the PIX; one capture on the inside interface, one capture on the outside interface. You can copy captures via TFTP or HTTPS.

Following is the syntax to enable capture on the PIX Firewall for traffic analysis:

capture capture-name [access-list acl-name] [buffer buf-size] [circular-buffer]
 [ethernet-type type] [interface if-name] [packet-length bytes]

Table 3-6 summarizes the meaning of the arguments of the capture command.

Table 3-6. capture Command Arguments

Arguments

Meaning

Capture name

This is the name of the capture that is used to view the information after the capture is completed.

Access-list

Used to define the traffic that needs to be captured.

Buffer

Capture buffer saved in RAM (default size 512kb).

Circular-Buffer

The default is to stop capturing when the buffer is full. Overwrites the buffer from beginning when full. The default is non-circular.

Ethernet-type

Used to ca Ethernet packets of a particular type. The default is IP.

Interface

Used to c packets on a specific interface. The default is all interfaces.

Packet-length

Used to configure the maximum length to save from each packet. The default is 68 bytes.


To illustrate how to use the capture command on the PIX firewall, examine an example. Assume that an inside host (10.1.1.100) is unable to go through Telnet to the server with IP address 200.1.1.100 on the outside. Additionally, assume that the host address 10.1.1.100 is translated to 50.1.1.00. Work through the following steps to enable capture on the PIX firewall:

Step 1.
Create an ACL for both the inside and outside interfaces.

You must create two separate ACLs to apply with the capture for the inside and outside interfaces.

The inside interface ACL should use the untranslated source IP address and the destination IP address:

PIX(config)# access-list 100 permit tcp host 10.1.1.100 host 200.1.1.100 eq 23
PIX(config)# access-list 100 permit tcp host 200.1.1.100 eq 23 host 10.1.1.100

The outside interface ACL should use the translated source address and the destination IP address.

PIX(config)# access-list 101 permit tcp host 50.1.1.100 host 200.1.1.100 eq 23
PIX(config)# access-list 101 permit tcp host 200.1.1.100 eq 23 host 50.1.1.100

Step 2.
Create captures on both inside and outside interfaces.

PIX(config)# capture out-telnet access-list 101 interface outside
 packet-length 1500
PIX(config)# capture in-telnet access-list 100 interface inside packet-
 length 1500
Step 3.
Perform the test.

Initiate a Telnet session from the inside host (10.1.1.100) to access 200.1.1.100 on the outside.

Step 4.
Copy the captures off to a TFTP Server or use HTTP server on the PIX.

You can display the capture output on the PIX firewall with the following commands:

PIX# show capture in-telnet
PIX# show capture out-telnet

To download the capture output to a TFTP server, use the following commands:

PIX# copy /pcap capture:out-telnet tftp://10.1.1.5/out.pcap
PIX# copy /pcap capture:in-telnet tftp://10.1.1.5/in.pcap

If the HTTP server is enabled on the PIX firewall for the ASDM access, you can use the following command to download the pcap files from the PIX firewall using the web browser:

https:///capture/out/pcap

Step 5.
Analyze captures with sniffer software.

After downloading the captures from the PIX firewall, you can analyze the captures with sniffer capture software such as Ethereal.

The capture command has been enhanced to capture packets dropped by security policies.

PIX# capture mycapture type asp-drop ?

 acl-drop                Flow is denied by access rule
 all                     All packet drop reasons
 bad-crypto              Bad crypto return in packet
 bad-ipsec-natt          Bad IPSEC NATT packet
 bad-ipsec-prot          IPSEC not AH or ESP
 bad-ipsec-udp           Bad IPSEC UDP packet
 bad-tcp-cksum           Bad TCP checksum
 bad-tcp-flags           Bad TCP flags
 conn-limit              Connection limit reached
 . . .
PIX#