Diagnostic Commands and Tools

Diagnostic Commands and Tools

Several tools and commands are available on the PIX Firewall to troubleshoot all kinds of issues with PIX Firewall. In this section, we will attempt to go through all such tools and commands, which will be used in the rest of the chapter for troubleshooting specific issues.

show Commands

show commands on PIX Firewall are used to display statistics and information about the PIX firewall both current and past. show commands are used mainly for troubleshooting and the monitoring the health of the PIX firewall. Some of most useful show commands are shown in the sections that follow.

show xlate [detail]

This command shows the translation details through the PIX firewall. Example 3-5 shows both the summary and details of translation that are built up on the PIX firewall. It is recommended to look at the details of the translation which gives the interfaces involved the flow of a packet. This is useful to identify and correct any NAT related mis-configuration.

Example 3-5. Translation Through the PIX Firewall

PIX (config) # show xlate
3 in use, 3 most used
PAT Global 20.1.1.50(0) Local 10.1.1.50 ICMP id 340
PAT Global 20.1.1.50 (1024) Local 10.1.1.50(1028)
PAT Global 20.1.1.50 (1024) Local 10.1.1.50(516)
PIX (config) # show xlate detail
3 in use, 3 most used
Flags: D DNS, d  dump, I  identity, I  inside, n  no random,
          o  outside, r  portmap, s  static
TCP PAT from inside:10.1.1.50/1026 to outside:20.1.1.50/1024 flags ri
UDP PAT from inside:10.1.1.50/1028 to outside:20.1.1.50/1024 flags ri
ICMP PAT from inside:10.1.1.50/21505 to outside:20.1.1.50/0 flags ri
PIX(config)#

Table 3-4 describes the Xlate flags.

Table 3-4. Xlate Flags Table

Flag

Description

s

Static Translation Slot

d

Dump Translation Slot on Next Clearing Cycle

r

Port Map Translation

n

No Randomization of TCP Sequence Number

o

Outside Address Translation

I

Inside Address Translation

D

DNS A RR Rewrite

I

Identity Translation from NAT 0


show connection [detail]

This command shows the connection details output on the PIX firewall. Connection will not be built up without translation. So, if you do not see any connection, you need to find out if the translation is built up. Example 3-6 shows the translation that is built up on the PIX firewall.

Example 3-6. Shows the show connection [detail] Output from the PIX Firewall

PIX (config) # show connection
2 in use, 2 most used
! Idle time, bytes transferred and the flags are shown in the following connection
TCP out 192.150.49.10:23 in 10.1.1.15:1026 idle 0:00:22 bytes 1774 flags UIO
UDP out 192.150.49.10:31649 in 10.1.1.15:1028 idle 0:00:14 bytes 540 flags d
! Following command shows the interface details of the connection
PIX (config) # show connection detail
2 in use, 2 most used
Flags: A  awaiting inside ACK to SYN, a  awaiting outside ACK to SYN,
          B  initial SYN from outside, D  DNS, d  dump,
          E  outside back connection, F  outside FIN, f  inside FIN,
          G  group, H  H.323, I  inbound data, M  SMTP data,
          m  SIP media, O- outbound data, P  inside back connection,
          q  SQL*Net data, R  outside acknowledged FIN,
          R  UDP RPC, r  inside acknowledged FIN, S  awaiting inside SYN,
          s  awaiting outside SYN, T  SIP, t  SIP transient, U  up
TCP outside: 192.150.49.10/23 dmz:10.1.1.15/1026 flags UIO
UDP outside: 192.150.49.10/31649 dmz:10.1.1.15/1028 flags d
PIX#