show local-host
A local-host is an entry that is created for any source IP on a higher security level interface. The show local-host command displays the translation, connection, and AAA information together. Example 3-7 shows a local-host information for local host IP address of 10.1.1.50.
Example 3-7. show local-host Command Output
PIX# show local-host 10.1.1.50
Interface inside: 822 active, 823 maximum active, 0 denied
local host: <10.1.1.50>,
TCP connection count/limit = 0/unlimited
TCP embryonic count = 0
TCP intercept watermark = unlimited
UDP connection count/limit = 63/unlimited
AAA:
Xlate(s):
PAT Global 20.1.1.50(41166) Local 10.1.1.50(39075)
Conn(s):
UDP out 198.133.219.25:8943 in 10.1.1.50:63556 idle 0:01:31 flags
PIX#
|
show service-policy
This command is used to see what inspection policies are applied and the packets matching them, as shown in Example 3-8.
Example 3-8. Output of the show service-policy Command
PIX# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns maximum-length 512, packet 0, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225, packet 0, drop 0, reset-drop 0
Inspect: h323 ras, packet 0, drop 0, reset-drop 0
Inspect: http, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: esmtp, packet 0, drop 0, reset-drop 0
...
Interface outside:
Service-policy: VoIP
Class-map: voice_marked
Priority:
Interface outside: aggregate drop 0, aggregate transmit 0
PIX#
|
show asp drop
This command is used to identify the number of packets dropped by the PIX while processing the packet as shown in Example 3-9.
Example 3-9. show asp drop Command Output
PIX# show asp drop
Frame drop:
Invalid tcp length 9382
Invalid udp length 10
No route to host 1009
Reverse-path verify failed 15
Flow is denied by access rule 25247101
First TCP packet not SYN 36888
Bad option length in TCP 731
TCP MSS was too large 10942
TCP Window scale on non-SYN 2591
TCP Dual open denied 11
TCP data send after FIN 62
TCP failed 3 way handshake 328859
TCP SEQ in SYN/SYNACK invalid 142
TCP ACK in SYNACK invalid 278
TCP packet SEQ past window 46331
DNS Inspect packet too long 5
DNS Inspect id not matched 8270
...
PIX#
|
show cpu usage
This command is first introduced in PIX OS Version 6.0(1). Under normal conditions, the PIX CPU should stay below 30 percent, and can go as high as 60 percent. Anything above 60 percent is high. If the CPU reaches 100 percent, the PIX will start dropping packets. The show cpu usage command displays the CPU over time as a running average as shown below:
PIX# show cpu usage
CPU utilization for 5 seconds = 1%; 1 minute: 2%; 5 minutes: 1%
PIX#
Note
The percentage usage prints as NA (Not Applicable) if the usage is unavailable for the specified time interval; this can happen if you try to find out CPU Usage before the 5-second, 1-minute, or 5-minute intervals.
show traffic
The show traffic command displays the traffic transmitted and received on each interfaces of the PIX as shown in Example 3-10.
Example 3-10. show traffic Command Output
PIX# show traffic
outside:
received (in 124.650 secs):
295468 packets 167218253 bytes
2370 pkts/sec 1341502 bytes/sec
transmitted (in 124.650 secs):
260901 packets 120467981 bytes
2093 pkts/sec 966449 bytes/sec
inside:
received (in 124.650 secs):
261478 packets 120145678 bytes
2097 pkts/sec 963864 bytes/sec
transmitted (in 124.650 secs):
294649 packets 167380042 bytes
2363 pkts/sec 1342800 bytes/sec
PIX#
|