Debug Commands

Debug Commands

Although show commands are very useful to identify the problem quickly, debug commands are required to see more detailed information about the problem under some circumstances for the connectivity issues. As debug commands affect the CPU of the PIX negatively, use the debug command as a last resort. Before turning on the respective debug command, it is very important to know how much traffic is flowing through the firewall of a specific type.

In this section, we discuss several debug commands available on PIX that will help you troubleshoot connectivity problems across the PIX firewall.

debug icmp trace

This debug command is used to see the debug output of the ping going across the PIX firewall. Ping is usually used to check the IP connectivity across the firewall.

While using ping for connectivity tests, remember these points:

  • You can ping only the local interface of the PIX. For example, if your PC is on the inside network, you can ping only to the inside interface of the PIX.

  • You cannot ping the remote interface of the PIX. For example, if you are on an inside network, you cannot ping to the DMZ or the outside interface of the PIX firewall. If you are on outside, you can ping only on the outside interface.

  • ICMP echo-replies must be permitted explicitly thru the PIX unless you have ICMP inspection enabled.

Figure 3-2 demonstrates that Bob is able to ping to the inside interface, not the DMZ or outside interface.

Figure 3-2. Inside Users Ping Ability to PIX Firewall


For a successful ping across the PIX firewall, you should see the request and reply packets on the debug icmp trace command output as shown in Example 3-13.

Example 3-13. debug icmp trace Output of a Successful IP Connection

PIX# debug icmp trace
PIX#
! In the following line, the ingress interface is inside, inside untranslated IP
! address, and destination address of the packet is 192.168.1.50
ICMP echo-request from inside:10.1.1.50 to 192.168.1.50 ID=3239 seq=4369 length=80
! Following line shows that 10.1.1.50 is translated to IP address 172.16.10.1
ICMP echo-request: translating inside:10.1.1.50 to outside:172.16.10.1
! The following lines are reply packets
ICMP echo-reply from outside:192.168.1.50 to 172.16.10.1 ID=3239 seq=4369 length=80
ICMP echo-reply: untranslating outside:172.16.10.1 to inside:10.1.1.50
PIX#