Debug Commands
Although show commands are very useful to identify the problem quickly, debug commands are required to see more detailed information about the problem under some circumstances for the connectivity issues. As debug commands affect the CPU of the PIX negatively, use the debug command as a last resort. Before turning on the respective debug command, it is very important to know how much traffic is flowing through the firewall of a specific type.
In this section, we discuss several debug commands available on PIX that will help you troubleshoot connectivity problems across the PIX firewall.
debug icmp trace
This debug command is used to see the debug output of the ping going across the PIX firewall. Ping is usually used to check the IP connectivity across the firewall.
While using ping for connectivity tests, remember these points:
-
You can ping only the local interface of the PIX. For example, if your PC is on the inside network, you can ping only to the inside interface of the PIX.
-
You cannot ping the remote interface of the PIX. For example, if you are on an inside network, you cannot ping to the DMZ or the outside interface of the PIX firewall. If you are on outside, you can ping only on the outside interface.
-
ICMP echo-replies must be permitted explicitly thru the PIX unless you have ICMP inspection enabled.
Figure 3-2 demonstrates that Bob is able to ping to the inside interface, not the DMZ or outside interface.
Figure 3-2. Inside Users Ping Ability to PIX Firewall
For a successful ping across the PIX firewall, you should see the request and reply packets on the debug icmp trace command output as shown in Example 3-13.
Example 3-13. debug icmp trace Output of a Successful IP Connection
PIX# debug icmp trace |