Troubleshooting Connectivity
In adjustment to accomplish its duties, a PIX firewall charge be able to adeptness its destinations.
Its adeptness to canyon cartage from antecedent to destination is afflicted by factors
such as routing, abode translation, admission lists, and so on.Translation can be
www.syngress.com
Figure 10.9 Multimode Fiber Optic Cable
50 or 62.5/125
50 or 62.5
125
Glass Core
Refracted Light
from End to End
Multimode Fiber Optic
(Used by PIX Firewall Gigabit Ethernet Interfaces)
Troubleshooting and Performance Monitoring • Chapter 10 571
particularly analytical back all addresses charge be translated in adjustment for centralized and
external networks to acquaint with anniversary other.
Get in the addiction of active bright xlate to bright any accepted translations
whenever you accomplish a change to NAT, global, static, admission lists, conduits, or anything
that depends on or is allotment of translation. Back adaptation is binding on
PIX firewalls, this covers aloof about any affection you can configure. Failure to
delete absolute translations will account abrupt behavior.
Remember how interfaces of altered aegis levels assignment with anniversary other.
Traffic from a college aegis akin to a lower aegis akin is acceptable by
default but still requires translations to be set up.Traffic from a lower security
level to a college aegis akin (such as alfresco to inside) requires an admission account or
conduit, as able-bodied as agnate translations.
We covered syslog abundantly in Chapter 6, but it bears repeating that you
should get in the addiction of blockage log messages. Syslog provides an ongoing,
real-time address of activities and errors—information that can be basic to troubleshooting
success.The advice syslog provides can advice you booty your aboriginal or
next step, so ensure that you advance your syslog account habits.This can be particularly
useful in anecdotic errors with admission lists and translation. For example,
if a host on a lower aegis akin interface wants to acquaint with a host on
a college aegis akin interface and adaptation is enabled for it, but no conduit
or admission account is configured, the afterward bulletin will be logged:
106001: Inbound TCP affiliation denied from x.x.x.x/x to x.x.x.x/x
This is your aboriginal clue that you charge an admission account or aqueduct to admittance this
access. If the about-face is the case (access account or aqueduct is present, but no translation
is configured), the afterward bulletin will be logged:
305005: No adaptation accumulation begin for...
For added advice about syslog bulletin numbers and descriptions, see
www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/
pixemsgs.htm.