All Cisco-Network Study Notes: 01/08/09

Support Options as Troubleshooting Tools

Support Options as Troubleshooting Tools 631

The PIX firewall can be a actual analytical accessory on your network. Network

architecture planning needs to accede assorted abutment options to

handle the accident or abortion of your PIX firewall. Accede this troubleshooting

by prevention, if you will. You can do it all yourself, acreage out

support to a third-party bell-ringer (reseller), or acquirement abutment from

Cisco. Let’s appraise anniversary option:

In the “do it yourself” approach, you artlessly acquirement the

software and hardware, with no assurance or abutment other

than what was provided as standard. If annihilation goes wrong,

you charge the adeptness and assets to fix it yourself.

In the third-party option, you accept a appropriate arrangement

with your bell-ringer (reseller) to accommodate whatever you charge to

fix your problem, whether software or hardware. Although

your reseller adeptness not accept the abyss and across of

knowledge that Cisco does, as a reseller, it adeptness be able to

offer you a abundant abatement on support.

Using Cisco via the SMARTnet affairs can ensure that you

always accept admission to a ample basin of able adeptness and

the “latest and greatest” advice apropos configuration,

troubleshooting, and bug fixes. The Cisco Web site

offers a abundance of accoutrement and advice that you can use to

aid your troubleshooting. You can additionally opt to admission the

Cisco Connection Online (CCO) associates to accretion admission to

even added abutment such as the adeptness to accessible or browse TAC

cases online. SMARTnet additionally provides accouterments replacement

and software upgrades.

Two things can breach on your PIX firewall: the software or the hardware.

To assure adjoin accouterments failures, you accept the advantage of stockpiling

spares. Depending on the arrangement of alive to banal units, this choice

could be amount prohibitive. Software can be bedeviled with bugs that you

discover afterwards you accept deployed the absolute configuration. Certain commands

or appearance adeptness not assignment as you appetite them to or not assignment at

all. In any case, you will crave advice from Cisco to assignment around

the botheration or admission to the latest absolution of software that fixes your

problem. In general, you are bigger off putting your firewall beneath a

SMARTnet aliment arrangement with Cisco to ensure that you always

have admission to the latest releases of software. Software is generally

much added difficult to fix on your own than hardware, which you can

easily alter in case of a failure. You absolutely cannot carbon the software

code to fix a problem, and you’ll end up spending an excessive

amount of time developing a workaround to a botheration acquired by a

buggy software release.

Downloading Captured Traffic

The PIX firewall saves packet abduction buffers in PCAP format, which can be

downloaded and beheld with third-party software such as Ethereal or tcpdump.

The abduction can be downloaded either application HTTPS or TFTP.To download the

file application HTTPS, access the adapted URL to the PIX firewall.The syntax is

as follows:

https://pix_ip_address/capture//pcap

www.syngress.com

Figure 10.24 Continued

Troubleshooting and Performance Monitoring • Chapter 10 601

For example:

https://192.168.1.1/capture/inside/pcap

This syntax downloads the packet abduction to your applicant in PCAP format.

Alternatively, you can download the book application TFTP.This is able using

the archetype command on the PIX firewall.The syntax is as follows:

copy capture: tftp:/// [pcap]

Without the pcap keyword, the ASCII packet headers will be copied.With the

pcap keyword, the bifold book in PCAP architecture will be copied. For example:

PIX1# archetype capture:inside-traffic tftp://192.168.99.99/pix-capture pcap

copying Abduction to tftp://192.168.99.99/pix-capture:

In our example, we are artful the inside-traffic abduction (in PCAP format) to

the TFTP server at 192.168.99.99 to the pix-capture filename. Once the book has

been copied, you can use any of the above software bales to open

and assay the captured packets.

Display to a Web Browser

Cisco additionally makes it actual accessible to deeply appearance packet captures (the packet headers

in ASCII format) application a Web browser.To appearance the capacity application your Web

browser, access the adapted URL to the PIX firewall.The syntax is as follows:

https://pix_ip_address/capture//

For example:

https://192.168.1.1/capture/inside-traffic/

Display on the Console

In the advance of troubleshooting a PIX firewall botheration by capturing data,

viewing the abduction on the animate is apparently the best alive option. If you

opt to use the animate for this purpose, it is best if you accumulate the packet-length

short abundant to get the primary headers (IP,TCP, etc.), because you can easily

become abashed scrolling through abundant amounts of abstracts on the simple

textual console.To appearance a abduction on the console, use the appearance abduction command:

show abduction [access-list ] [count ] [detail]

[dump]

If you accept captured a abundant accord of data, you can clarify it out by allegorical an

access-list in this command, which acts as a affectation filter.The calculation constant is

used to absolute the cardinal of packets displayed on the screen.The detail parameter

increases the akin of detail displayed.The dump constant specifies that the data

should be displayed in hex (this does not affectation MAC information). An example

packet abduction is displayed in Figure 10.24.

Figure 10.24 Packet Abduction Example

PIX1# appearance abduction inside-traffic calculation 6

71 packets captured

www.syngress.com

Continued

600 Chapter 10 • Troubleshooting and Performance Monitoring

17:29:35.648434 192.168.2.1.23 > 192.168.2.2.11002: P 942178590:942178597

(7) ack 2099017897 win 4096(fragment-packet)

17:29:35.848207 192.168.2.2.11002 > 192.168.2.1.23: . ack 942178597 win

3531(fragment-packet)

17:29:37.610258 192.168.2.2.11002 > 192.168.2.1.23: P 2099017897:

2099017898(1) ack 942178597 win 3531(fragment-packet)

17:29:37.610442 192.168.2.1.23 > 192.168.2.2.11002: . ack 2099017898 win

4095(fragment-packet)

17:29:37.610686 192.168.2.1.23 > 192.168.2.2.11002: P 942178597:942178598

(1) ack 2099017898 win 4096(fragment-packet)

17:29:37.808155 192.168.2.2.11002 > 192.168.2.1.23: . ack 942178598 win

3530(fragment-packet)

Notice how the acknowledgments (ACKs) are incrementing.This particular

capture was allotment of a Telnet affair amid 192.168.2.1 and 192.168.2.2; the 23

at the end of 192.168.2.1 tells you that it is the Telnet server. At this point, you

should accept a acceptable abstraction aloof how advantageous abduction can be in the troubleshooting

process.

Displaying Captured Traffic

Cisco provides several options via which we can affectation our captured data.We

can affectation it on the console, which provides for abecedarian viewing, or we can

view it application a Web browser.We can alike download our captured abstracts and use

third-party software such as Aerial (www.ethereal.com) or tcpdump (www

.tcpdump.org) to appearance them.

Capturing Traffic

Cisco has provided an accomplished apparatus for capturing and allegory arrangement traffic

with the addition of PIX software adaptation 6.2.When the abduction command is

used, the PIX can act as a packet adenoids on the ambition interface, capturing packets

for after analysis.This command captures both entering and outbound traffic.

Capturing packets that alteration an interface is actual advantageous for troubleshooting,

because it enables you to actuate absolutely what cartage is actuality passed.When

you’re troubleshooting connectivity issues, it is generally advantageous to abduction packets

from the admission and approachable interfaces.You can assay the captured packets

www.syngress.com

598 Chapter 10 • Troubleshooting and Performance Monitoring

to actuate if there any problems with your configuration, such as IP address

disagreement, or problems with IKE or IPsec, such as altered or expect

parameters that are not actuality passed. Before this feature, the alone recourse an

engineer had was to install a packet abduction device.The packet abduction feature

was alien in PIX firewall adaptation 6.2 and is alone accessible for Ethernet

interfaces.The syntax of the command is as follows.

capture [access-list ] [buffer ] [ethernet-type

] [interface ] [packet-length ]

The aboriginal parameter, capture-name, defines a name for this accurate capture

session. All added ambit are optional.The access-list constant specifies an

IPsec cisco system

IPsec

After IKE auspiciously negotiates the ambit such as the adjustment to be used

for encryption, authentication, and the admeasurement key to use, IPsec is again accessible to perform

its mission of creating a VPN. IPsec requires that IKE already accept negotiated

the assorted ahead articular parameters. IPsec aeon analyze transform

sets to actuate what anniversary can support.They accommodate the authentication,

encryption, and assortment methods until they acquisition agreement. If they do not find

agreement, they do not become peers, and the adit will not be established.

To analysis which transform sets you accept configured, use the appearance crypto ipsec

transform-set command. Notice that this command tells you if IPsec will negotiate

AH, ESP, or a aggregate of both. Here is an example:

PIX1# appearance crypto ipsec transform-set

Transform set FW1: { ah-md5-hmac }

will accommodate = { Tunnel, },

{ esp-des esp-md5-hmac }

will accommodate = { Tunnel, },

It is important for IPsec aeon to accept in their transform sets accepted parameters

on which they can agree. Crypto maps are acclimated to specify the cartage to be

encrypted. Execute the appearance crypto map command to affirm your maps. For

example:

www.syngress.com

Troubleshooting and Performance Monitoring • Chapter 10 595

PIX2# appearance crypto map

Crypto Map: "pixola" interfaces: {outside }

Crypto Map "pixola" 1 ipsec-isakmp

Peer = 192.168.2.1

access-list 100 admittance ip 192.168.2.0 255.255.255.0 any (hitcnt=1)

Current peer: 192.168.2.1

Security affiliation lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ pix, }

This command additionally identifies the IPsec associate and the interface to which the

map is applied. In this example, PIX2 has the crypto map “pixola” activated to its

outside interface. It is analytical with PIX1 (at IP abode 192.168.2.1) and will

encrypt cartage that matches admission account 100. It alike tells you how abounding matches

have been fabricated adjoin that admission list—a quick way to actuate if annihilation is

being arrested for IPsec processing.

After acceptance that there is acceding in the transform sets and the crypto

maps are authentic correctly, affirm that abstracts is absolutely actuality protected.To verify,

use the appearance crypto ipsec sa command apparent in Figure 10.23.

Figure 10.23 Acceptance IPsec

PIX1# appearance crypto ipsec sa

interface: outside

Crypto map tag: pixola, bounded addr. 192.168.2.1

local ident (addr/mask/prot/port): (192.168.2.1/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.3.1/255.255.255.0/0/0)

current_peer: 192.168.3.1

PERMIT, flags={origin_is_acl,}

#pkts encaps: 5, #pkts encrypt: 5, #pkts abstract 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress

failed: 0

www.syngress.com

Continued

596 Chapter 10 • Troubleshooting and Performance Monitoring

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.2.1, alien crypto endpt.: 192.168.3.1

path mtu 1500, ipsec aerial 56, media mtu 1500

current outbound spi: 3a18fca2

inbound esp sas:

spi: 0x61af4121(2451330208)

transform: esp-des esp-md5-hmac

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: pixola

sa timing: actual key lifetime (k/sec): (4000159/9460)

IV size: 8 bytes

replay apprehension support: Y

inbound ah sas:

inbound pcp sas:

outbound ESP sas:

spi: 0x61af4121(2451330208)

transform: esp-des esp-md5-hmac

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: pixola

sa timing: actual key lifetime (k/sec): (4000159/9460)

IV size: 8 bytes

replay apprehension support: Y

outbound ah sas:

outbound PCP sas:

The achievement of this command can be actual abundant.The crypto map tag identifies

the crypto map actuality used, admitting bounded and alien “ident” appearance the IP

addresses of the bounded and alien peers.The “pkts” counters clue how many

packets accept been encrypted, decrypted, and compressed. So far, bristles packets have

been beatific and accustomed encrypted.This is an attribute of acknowledged IPsec operation.

www.syngress.com

Figure 10.23 Continued

Troubleshooting and Performance Monitoring • Chapter 10 597

The crypto “endpt” area identifies the IPsec peers. Notice that the path

MTU as able-bodied as the media MTU are shown, which can be advantageous in determining

if breach will occur.The SPI is a different identification for this tunnel.We

can additionally appearance the transform set ambit actuality acclimated and whether it is operating

in adit or carriage mode.The lifetime indicates the bulk of time larboard before

the SA will be renegotiated.The aftermost section, “outbound sas,” verifies that both

inbound and outbound SA accept been established. It additionally indicates how many

seconds and kilobits are larboard afore the SA charge be renegotiated.

Check the SA lifetime with the appearance crypto ipsec security-association command.

For example:

PIX1# appearance crypto ipsec security-association lifetime

Security affiliation lifetime: 4608000 kilobytes/28800 seconds

You can use the alter crypto ipsec command to adviser IPsec negotiations,

which will alpha already IKE is absolutely initialized amid the peers. For affluence of

troubleshooting, run the two commands separately. Otherwise, you will be

overwhelmed by the bulk of abstracts that they produce. First accomplish IKE

troubleshooting (which has to action afore IPsec can proceed), and again move

on to IPsec troubleshooting.

If you appetite to reinitialize IPsec, you can do so.This is advantageous back you want

to bright besmirched or invalid sessions or if you appetite IPsec to authorize a new

tunnel. It can additionally be advantageous if you appetite to adviser IPsec operations from the

onset application alter commands. At any time, you can manually force an SA negotiation

to action with the bright crypto ipsec sa command.The bright crypto ipsec sa command

deletes absolute aegis associations (all of them) and armament the

establishment of new associations if there is an alive activate such as a crypto

map.You can get actual specific with this command, such as allegorical a particular

peer with bright crypto ipsec sa 192.168.2.1.

Troubleshooting IPsec

Recall from Affiliate 7 that IPsec is acclimated on the PIX firewall for the establishment

of a defended VPN adit amid two endpoints for the purpose of securely

exchanging abstracts over IP. IPsec can be configured application IKE with RSA key

exchange, IKE with CA certificates, IKE with preshared keys, or application preshared

keys sans IKE (called chiral IPsec).When application chiral key exchange, you simply

www.syngress.com

Troubleshooting and Performance Monitoring • Affiliate 10 589

create a aggregate abstruse that is the aforementioned on both endpoints; this abode is not

only a aegis risk, but it has scalability issues.

We will not change the acceding accomplish all-important to arrange IPsec on PIX

firewalls, because that affair was covered in Affiliate 7.We instead focus our

efforts on application the accoutrement Cisco provides to troubleshoot IPsec problems application an

IPsec with IKE preshared key configuration. Misconfigurations, mismatched

parameters, keys, routing, IP acclamation issues, and added problems can cabal to

make IPsec fail.You charge to be able to abstract and boldness these issues by aboriginal recognizing

the affection and again application the absolute accoutrement to ascertain the cause.

Figure 10.21 shows a simple point-to-point IPsec adit configured between

PIX1 and PIX2. IPsec is a complicated technology and absolute cruel of

errors.A distinct absurdity can anticipate your IPsec acceding from alive at all.

Therefore, you will acquisition that the aggregate of your labors will be focused on setting

IPsec accurately in the aboriginal place.

Here we acquaint several commands and procedures that you can use to

check your configuration.

! PIX1 Acceding snippets

nat 99 0.0.0.0 0.0.0.0

global (outside) 99 192.168.2.10-192.168.2.254 netmask 255.255.255.0

route alfresco 0.0.0.0 0.0.0.0 192.168.2.2

static (inside, outside) 192.168.2.10 192.168.1.1 netmask 255.255.255.255

conduit admittance ip 192.168.3.0 255.255.255.0 any

isakmp accredit outside

isakmp action 99 authen pre-share

isakmp action 99 encryption des

isakmp action 99 accumulation 1

isakmp action 99 assortment md5

isakmp action 99 lifetime 9999

isakmp character address

isakmp key cisco abode 192.168.3.1

www.syngress.com

Figure 10.21 IPsec Configuration

IPsec Adit -IPsec Aeon 192.168.1.1 and 192.168.4.1

RTR1

192.168.2.0/24 192.168.3.0/24

PIX1 PIX2

E0 E1

192.168.1.1/24

E0 E0

192.168.4.1/24

Outside Outside

Inside

192.168.2.1/24 192.168.2.2/24 192.168.3.2/24 192.168.3.1/24

Inside

590 Affiliate 10 • Troubleshooting and Performance Monitoring

access-list 99 admittance ip 192.168.0.0 255.255.252.0 any

crypto ipsec transform-set FW1 ah-md5-hmac esp-des esp-md5-hmac

crypto map FW1 1 ipsec-isakmp

crypto map FW1 2 set associate 192.168.3.1

crypto map FW1 3 bout abode 99

crypto map FW1 2 set associate 192.168.3.1

crypto map FW1 interface outside

! PIX2 Acceding snippets

nat 99 0.0.0.0 0.0.0.0

global (outside) 99 192.168.3.10-192.168.2.254 netmask 255.255.255.0

route alfresco 0.0.0.0 0.0.0.0 192.168.3.2

static (inside, outside) 192.168.3.10 192.168.4.1 netmask 255.255.255.255

conduit admittance ip 192.168.3.0 255.255.255.0 any

isakmp accredit outside

isakmp action 99 authen pre-share

isakmp action 99 encryption des

isakmp action 99 accumulation 1

isakmp action 99 assortment md5

isakmp action 99 lifetime 9999

isakmp character address

isakmp key cisco abode 192.168.2.1

access-list 99 admittance ip 192.168.0.0 255.255.252.0 any

crypto ipsec transform-set FW1 ah-md5-hmac esp-des esp-md5-hmac

crypto map FW1 1 ipsec-isakmp

crypto map FW1 2 set associate 192.168.2.1

crypto map FW1 3 bout abode 99

crypto map FW1 interface outside

There are several issues with this configuration. For starters, the IPsec peering

between PIX1 and PIX2 is to their central addresses rather than their outside

addresses. Although this ability work, Cisco does not acclaim it as a adjustment to

deploy IPsec. Additionally, the addresses for the analytical accept been statically translated

to an alfresco address.This presents a botheration in that the absolute source

address of IPsec cartage will not bout aback it alcove the abroad end, and the

hash ethics will additionally be incorrect. Solving this botheration involves disabling translation

for the addresses acclimated for authorize analytical (nat 0), abacus a avenue to the internal

addresses on anniversary firewall, and allowing the addresses to access the firewall.

www.syngress.com

Troubleshooting and Performance Monitoring • Affiliate 10 591

IKE

The arch mission of IKE is to accommodate ambit for IPsec by establishing a

secure approach over which IPsec will authorize its peering. In added words, IKE

does the all-important preconfiguration by establishing the aegis associations to

protect IPsec during its negotiations and operations.

IKE aeon actualize the all-important aegis affiliation if they both accede on a

common aegis policy, which includes application the aforementioned encryption, authentication,

Diffie-Hellman settings, and assortment parameters.Without this agreement, IKE

peering will not booty place, and IPsec analytical will be clumsy to proceed. IKE

authenticates IPsec peers, determines the encryption methods that will be used,

and negotiates the assorted ambit to be acclimated by IPsec, such as encryption,

authentication, and keys. In adjustment for IPsec to proceed, IKE charge be configured

perfectly and working.

Recall from Affiliate 7 that IKE works in two phases. In Phase I (main mode),

it establishes the aegis affiliation all-important for two firewalls to become IKE

peers.This includes the barter and chase for accepted aegis behavior until

both aeon appear to an agreement. During Phase II (quick mode), IKE establishes

the aegis affiliation all-important to assure IPsec during its negotiations and

operations. Once Phase II is complete, IPsec can again complete its peering.

Before deploying IKE on your PIX firewall, ensure that anniversary associate can reach

the IP abode of the added side. If an basal hardware, network, or translation

issue prevents the aeon from extensive anniversary other, fix it application the structured

methodology presented beforehand in this chapter.You can verify reachability using

ping.

Cisco provides several commands that you can use to analysis your IKE configuration

and operation; let’s attending at those commands.The appearance isakmp command

shows how IKE is configured on the PIX firewall. For example:

PIX1# appearance isakmp

isakmp accredit outside

isakmp key ******** abode 192.168.3.1 netmask 255.255.255.255

isakmp character address

isakmp action 99 affidavit pre-share

isakmp action 99 encryption des

isakmp action 99 assortment md5

isakmp action 99 accumulation 1

isakmp action 99 lifetime 9999

www.syngress.com

592 Affiliate 10 • Troubleshooting and Performance Monitoring

The appearance isakmp or appearance crypto isakmp commands affectation the accepted IKE

parameters configured on a PIX firewall. Notice how the key is hidden to protect

its security.You should run this command on both aeon and analyze the

resulting achievement to ensure that there will be acceding on at atomic one security

policy. If you admiration added detail or charge added advice about absolutely what

each constant does, use the appearance isakmp action command.This command

expands on the antecedent command by spelling out anniversary constant and its current

settings:

PIX1# appearance crypto isakmp policy

Protection apartment of antecedence 99

encryption algorithm: DES - Abstracts Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 9999 seconds, no aggregate limit

Default aegis suite

encryption algorithm: DES - Abstracts Encryption Standard (56 bit keys).

hash algorithm: Defended Assortment Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no aggregate limit

Another advantageous aspect of the appearance crypto isakmp action command is that it

shows you the absence ethics that will be acclimated if you do not specify any values.

This advice can be advantageous if you charge to actuate what a particular

unspecified constant would be if you do not configure it specifically.

IPsec cannot advance unless IKE is working.The alone barring is if you are

not application IKE for IPsec—that is, you are application manually generated keys with

IPsec.

If you appetite to watch the ISAKMP acceding action amid two IPsec

peers, use the alter crypto isakmp command.This command generates a copious

amount of output, so use it sparingly.You can use alter crypto isakmp to watch

the IKE acceding action and the barter of affair keys.The alter crypto

isakmp command shows IKE activity through Phases I and II.The absolute action is

triggered aback absorbing cartage (traffic that matches the activated crypto map)

transits the IPsec adequate interface.Once that happens, IKE contacts its peer, as

shown in Figure 10.22. (Its antecedent anchorage and destination anchorage will be UDP port

500, so you charge to ensure that this anchorage is accustomed through.)

www.syngress.com

Troubleshooting and Performance Monitoring • Affiliate 10 593

The aboriginal affair the aeon do is validate that the hostname or IP abode and

key brace matches their configuration.The architect sends its aegis policy

parameters to the receiver, which again sends aback ambit that bout from its

policy. Having agreed on the aegis policy, the IKE aeon arise Phase I in

earnest, commutual the Diffie-Hellman and breeding affair keys. From there,

IKE associate affidavit is completed, finishing the Phase I aegis association.

Phase II gain almost bound (hence the acumen it is alleged “quick” mode)

by negotiating the aegis action that will be acclimated to assure IPsec associate operations.

Once Phase II is complete, IPsec again establishes the tunnel, and abstracts transmission

begins.

The best accepted problems that action during the IKE phases are mismatched

preshared keys and altered aegis action parameters.The aboriginal step

in troubleshooting IKE is to analyze the configurations of anniversary peer.You can do

this with the commands we discussed previously. After you accept absolute that

you accept an IKE action that will assignment on anniversary firewall, admit the IKE process

after active the adapted alter command.That way, you can adviser its

progress or abridgement thereof.

www.syngress.com

Figure 10.22 IKE Process

IKE Aeon 192.168.2.1 and 192.168.3.1

RTR1

192.168.2.0/24 192.168.3.0/24

PIX1 PIX2

E0 E0 E1 E0

Outside Outside

192.168.2.1/24 192.168.3.1/24

Interesting

traffic arrives at

E0. 1. Accelerate initialization to associate IP and UDP anchorage 500

2. Respond to associate IP and UDP anchorage 500: Aegis Policy

4. Diffie-Hellman

5. IKE Authentication, Phase I Complete

3. Analysis accustomed Aegis Action for agreement. Match!

6. Phase II - accelerate transform set(s)

7. Analyze accustomed transform set. Match!

8. Actualize IPsec SA and authorize IPsec tunnel

9. Abstracts beatific over tunnel

594 Affiliate 10 • Troubleshooting and Performance Monitoring

If you do not ascertain an IKE aegis action accepted to both aeon or if you

neglect to ascertain a aegis action at all, IKE will try the defaults for the various

values.This agency application DES for encryption, SHA for artful the hash

values, RSA for authentication, and Diffie-Hellman Accumulation 1 (768 bits) with a

lifetime of 86,400 seconds. Action mismatches will be credible aback the output

of the appearance crypto isakmp sa command shows “no state,” acceptation that the peers

did not and could not accommodate capital approach auspiciously due to the mismatch.

The “no state” absurdity additionally appears if there is key (password) altercation between

the two peers. Assortment calculations will additionally fail, and this is article you can

watch with the alter crypto isakmp command.

Cisco provides a bright crypto isakmp sa command that you can use to delete

existing aegis associations and force a reinitialization.This command can be

useful not alone to bright an invalid aegis association, but it’s additionally accessible in

monitoring the IKE acceding action with debug.

Checking Access

The PIX firewall provides several mechanisms for authoritative admission through it. In

this section, we awning several of these mechanisms and altercate some means to monitor

and verify their functionality.The absence accompaniment of the PIX firewall is to permit

access to sessions originated from a college security-level interface to a lower

security-level interface, as continued as a adaptation is configured.Traffic that originates

from a low security-level interface to a aerial security-level interface has to be

specifically acceptable appliance conduits or admission lists (and of course, translations).

www.syngress.com

584 Chapter 10 • Troubleshooting and Performance Monitoring

The aqueduct command is a appropriate anatomy of an admission list. It is acclimated to permit

traffic from a lower security-level interface to a college security-level interface.

Figure 10.20 shows several accepted admission scenarios with assorted hosts needing

access to anniversary other.The Web applicant (security akin 0) will be accessing the Web

server (security akin 50); the absence behavior of the PIX firewall is to forbid

such traffic.The workstation (security akin 100) needs to admission Internet

resources appliance the alfresco network.The amount additionally provides the configuration

necessary to accredit the admission bare by the assorted hosts and servers, which are

denoted A, B, and C for affluence of discussion.The acceptance is that all translation

parameters accept been configured and are alive correctly, which enables us to

focus on specific admission issues.The addresses credible are acclimated for discussion, but in

your mind, accept that they accept been translated.

The Web server needs to be prevented from basic sessions to networks

located off the DMZ arrangement but charge be able to acknowledge to account requests

from the Web applicant amid on the alfresco network.To achieve this goal, we

www.syngress.com

Figure 10.20 Admission Scenario

RTR1

! A. Anticipate Web server from basic traffic, but enable

responses to clients. (deny outbound admission for server)

access-list 99 abjure ip host 192.168.1.2 any

access-group 99 in interface dmz

access-list 100 admittance ip any any

! B. Accredit Web Applicant to authorize affair to Web Server

conduit admittance tcp host 192.168.4.2 host 192.168.1.2 eq www

access-list 100 admittance tcp host 192.168.4.2 host 192.168.1.2 eq www

access-group 100 in interface outside

! C. Accredit workstation to admission assets on Internet.

(no appropriate agreement all-important to accredit aerial to low access.)

DMZ - 50

PIX1

192.168.3.2/24

Outside - 0

192.168.3.0/30

192.168.3.1/24

192.168.1.0/24 192.168.1.1/24

Web Client

192.168.4.2

Web Server

192.168.1.2

Needs admission to

192.168.1.2

192.168.2.0/24

Inside - 100

Workstation

192.168.2.2 Needs to access

Internet.

Does not charge to originate

outbound traffic, but does need

to acknowledge to clients.

192.168.2.1/24

192.168.4.1/24

Troubleshooting and Performance Monitoring • Chapter 10 585

created an admission account to abjure 192.168.1.2 from accessing annihilation and activated it

to the DMZ interface.Then we created a aqueduct to admittance 192.168.4.2 to

access Web casework (TCP anchorage 80) on 192.168.1.2. Alternatively, we could have

used an admission account to achieve the aforementioned thing, as credible in Amount 10.20.The

option to use admission lists instead of conduits is accessible alone on PIX firewall software

versions 5.1 and later. It is important to agenda that Cisco recommends that

you abstain bond admission lists and conduits. Additionally, admission lists booty precedence

over conduits. In the PIX environment, admission lists accept one and alone one

direction: in.The access-group command applies the admission account to cartage coming

into the appointed interface.

The central workstation (denoted by C) needs to be able to admission resources

on the Internet.The central interface has a aegis akin of 100, the accomplished possible

security level. Recall that hosts on college security-level interfaces can access

hosts on lower security-level interfaces afterwards any appropriate agreement to

permit responses to return.This is absolutely the case with this workstation, so we

need no appropriate configuration.

Problems with abridgement of admission become credible back machines are unreachable.

Since admission ascendancy mechanisms such as admission lists and conduits accept a

close commutual accord with translation, you should validate the

translation agreement first. Once that is confirmed, activate your admission troubleshooting.

Access problems can accommodate typos, ever akin or apart admission lists

or conduits, the amiss networks actuality denied or acceptable access, or admission lists

applied to the amiss interface. Here we authenticate several commands that you

can use to verify access.

Recall that a aqueduct is a aperture in your firewall aegis that permits hosts on

a lower aegis akin admission to assets on a college aegis level.The main

command for acceptance aqueduct agreement is appearance conduit. For example:

PIX1# appearance conduit

conduit admittance tcp host 192.168.4.2 host 192.168.1.2 eq www (hitcnt=3)

This aqueduct permits 192.168.4.2 to admission the Web server at 192.168.1.2.

This is the alone PIX command for blockage conduits.With the advantage provided

in adaptation 5.1 to use admission lists instead, conduits are gradually actuality phased out

in favor of the added accepted admission lists.When that happens, you can abolish all

conduit ambit from your PIX firewall agreement appliance the bright conduit

command.This is a hardly schizophrenic command, depending on area it is it

used. If acclimated at the advantaged command alert as bright aqueduct counters, it

“zeroizes” the hit counter. If bright aqueduct is acclimated in the Agreement mode, it

removes all aqueduct statements from the PIX firewall configuration.

www.syngress.com

586 Chapter 10 • Troubleshooting and Performance Monitoring

Access lists, addition admission ascendancy mechanism, action added troubleshooting

tools than conduits do.The appearance access-list command can be acclimated to confirm

which admission lists are configured on the PIX firewall and what they are permitting

and denying:

PIX1# appearance access-list

access-list 99; 2 elements

access-list 99 abjure ip host 192.168.1.2 any (hitcnt=1)

access-list 99 admittance ip any any (hitcnt=0)

access-list 100 admittance tcp host 192.168.4.2 host 192.168.1.2

eq www

(hitcnt=5)

This command was accomplished on the firewall in Amount 10.20. Recall that an

access account alone affects admission cartage to an interface. Once you accept confirmed

that the admission account is configured as it should be, the abutting troubleshooting footfall is to

verify that it has been activated to the actual interface. Cisco provides the show

access-group command for this purpose. For example:

PIX1# appearance access-group

access-group 99 in interface dmz

access-group 100 in interface outside

The in keyword is binding and serves as a admonition that the admission account is

applied alone to cartage advancing into the interface. Cisco provides a alter command

for troubleshooting admission account contest as they occur. Be acquainted that back you

use this command, it debugs all admission lists.There is no advantage to do real-time

monitoring of a accurate admission list.This can accomplish copious amounts of data,

especially if you assassinate it on a high-traffic PIX firewall. As with any alter command,

use it sparingly and alone if you apperceive what you are analytic for.The debug

access-list command can accommodate acknowledgment on your admission account and whether it is permitting

or abstinent the cartage that it should.The command syntax is as follows:

debug access-list {all | accepted | turbo}

Another admission ascendancy apparatus is outbound/apply, but Cisco recommends

that it not be used. Cisco recommends that you use the admission account appearance of the

PIX firewall instead.The outbound/apply commands were the forerunner to the

access account affection and are still accessible and accurate by the PIX firewall software.

However, these commands ache from a actual awkward syntax, are fairly

limited, and can be arresting to troubleshoot.The outbound command was

designed to ascendancy admission of central users to alfresco resources. Having said all

www.syngress.com

Troubleshooting and Performance Monitoring • Chapter 10 587

that, a alive acquaintance with the command is accessible for back you encounter

situations in which it is still used.The syntax for the outbound command is as

follows:

outbound {permit | abjure | except} [] [

[-]] [tcp | udp| icmp]

The ID constant specifies a different identifier for the outbound list.You can

either configure a admittance rule, a abjure rule, or an except aphorism (which creates an

exception to a antecedent outbound command). Unlike admission lists, outbound lists

are not candy from top to bottom. Anniversary band is parsed behindhand of whether

there is a bout or not. Cisco recommends that all outbound lists alpha with a

deny all (deny 0 0 0), followed by specific statements acceptance access.The net

effect is cumulative. How the PIX firewall uses the outbound account depends on the

syntax of the administer command:

apply [] {outgoing_src | outgoing_dest}

When the outgoing_src constant is used, the antecedent IP address, destination

port, and agreement are filtered.When the outgoing_dst constant is used, the destination

IP address, port, and agreement are filtered. It is basic you accept that

the outbound account does not actuate whether the IP abode it uses is either a

source or a destination; the administer command does that.This can be a major

troubleshooting cephalalgia because an outbound account could be configured correctly

but ability not assignment because the administer command is configured incorrectly.When

troubleshooting outbound, ensure that you analysis the administer agreement as well.

When assorted rules bout the aforementioned packet, the aphorism with the best bout is

used.The best-match aphorism is based on the netmask and anchorage range.The stricter

the IP abode and the abate the anchorage range, the bigger a bout it is. If there is a

tie, a admittance advantage takes antecedence over a abjure option.

Here is an archetype of outbound/apply:

PIX1(config)# outbound 99 abjure 0 0 0

PIX1(config)# outbound 99 admittance 0.0.0.0 0.0.0.0 1-1024 tcp

PIX1(config)# outbound 99 except 192.168.2.0 255.255.255.0

PIX1(config)# administer (inside) 99 outgoing_src

In this example, the aboriginal account denies all traffic, the additional band permits

any host admission to TCP ports 1-1024 on any host, and the third band denies the

192.168.2.0/24 arrangement from admission to any TCP ports acceptable by the second

line.We are appliance the outgoing_src keyword, acceptation that the IP addresses referenced

are antecedent addresses.

www.syngress.com

588 Chapter 10 • Troubleshooting and Performance Monitoring

Cisco alone provides a few commands for blockage outbound/apply parameters.

First, do not balloon to do a bright xlate afterwards configuring outbound/apply. Use

show outbound to appearance the outbound lists that are configured.The appearance apply

command identifies the interfaces and administration to which the outbound lists have

been applied. No alter commands are associated with outbound/apply. Given that

access lists accept now abolished outbound/apply, you would be bigger served in

terms of both agreement and abutment to use them instead. Not alone do access

lists accommodate to the accepted Cisco syntax, they additionally action bigger and easier-tounderstand

filtering.

One affection does not assume to be admission related, but back it curtails the operations

of called protocols, one can altercate that admission to assertive appearance of the

“protected” agreement accept been negated. As discussed in Chapter 4, the PIX

firewall software provides appliance analysis appearance through the fixup command.

There is a accepted set of protocols for which the fixup adequacy is enabled

automatically, such as HTTP, SMTP, FTP, and so on.This agreement sometimes disables

certain commands or appearance in the ambition protocols to anticipate malicious

misuse.To actuate for which protocols fixup is enabled, run the appearance fixup

command. For example:

PIX1# appearance fixup

fixup agreement ftp 21

fixup agreement http 80

fixup agreement h323 h225 1720

fixup agreement h323 ras 1718-1719

fixup agreement ils 389

fixup agreement rsh 514

fixup agreement rtsp 554

fixup agreement smtp 25

fixup agreement sqlnet 1521

fixup agreement sip 5060

fixup agreement angular 2000

Checking Translation

The PIX firewall performs abode translation. In adjustment for centralized networks to

communicate with alien networks, and carnality versa, addresses charge be translated.

Translation is not optional. Recall from Affiliate 3 that adaptation is the act

of advice one IP abode to another, which can be configured as one to one

(NAT) or abounding to one (PAT).

NOTE

To canyon cartage through the PIX traffic, you charge construe it, alike if this

means you will construe IP addresses to themselves.

We discussed adaptation at some breadth in Affiliate 3. In this chapter, we

quickly analysis some key concepts application Figure 10.19, which shows all the

possible adaptation scenarios that you can accept on your PIX firewall.

Figure 10.19 shows a PIX firewall, PIX1, affiliated to three networks: inside,

DMZ, and outside.The addresses on the central arrangement are serviced application PAT.

The DMZ has two hosts on it: one that is not translated (in reality, it is aloof translated

to itself) and one that is statically translated. All absolute addresses on the

DMZ are dynamically translated application a ambit of IP addresses associated with the

outside network.

www.syngress.com

Figure 10.18 Continued

Troubleshooting and Performance Monitoring • Affiliate 10 581

In the PIX world, adaptation is all-important to accommodate connectivity.When

translation does not work, you charge to apperceive area to alpha and accomplishment your

troubleshooting. Cisco provides several commands that you can use to validate

various aspects of translation.We alpha with a analysis of the assorted translation

configuration commands and how to finer convention them. Let’s analysis the

configuration in Figure 10.19.

First, attending at which clandestine addresses are actuality translated to which public

addresses.This advice will actuate if the adaptation ambit accept been

configured correctly.Two commands acclimated to accomplish this assignment are appearance nat and

show global:

PIX1# appearance nat

nat (dmz) 0 192.168.1.10 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 99 0.0.0.0 0.0.0.0 0 0

PIX1# appearance global

global (outside) 99 192.168.99.4-192.168.99.254 netmask 255.255.255.0

global (outside) 1 192.168.99.3 netmask 255.255.255.0

www.syngress.com

Figure 10.19 Adaptation in Action

! Configure PAT to construe central addresses to 192.168.99.3.

global (outside) 1 192.168.99.3 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

! Configure NAT to translates DMZ addresses to 192.168.99.4-254.

global (outside) 99 192.168.99.4-192.168.99.254 netmask 255.255.255.0

nat (dmz) 99 0.0.0.0 0.0.0.0 0 0

! Do not construe DMZ abode 192.168.1.10.

nat (dmz) 0 192.168.1.10 255.255.255.255 0 0

! Statically construe 192.168.1.2 consistently to 192.168.99.2.

static (dmz,outside) 192.168.99.2 192.168.1.2 netmask 255.255.255.255 0 0

DMZ

192.168.2.0/24

PIX1

192.168.99.1/24

INSIDE

192.168.2.1/30

192.168.1.0/24

OUTSIDE

192.168.1.1/24

192.168.11.11

192.168.1.2

192.168.1.10

Not translated

Static

translation

Internet

582 Affiliate 10 • Troubleshooting and Performance Monitoring

Our NAT agreement specifies a nontranslation for the DMZ server at

address 192.168.1.10 arrangement (as apparent by the nat 0 command).The nat 99

specifies that all absolute addresses in the DMZ should be translated.The global

command defines two pools of addresses to be acclimated for adaptation purposes.The

numerical ID is referenced by the NAT command to accomplish the absolute translation.

The all-around 99 command is acclimated for NAT, admitting all-around 1 with its distinct IP

address is acclimated for PAT. In absolute practice, you would apperceive at this point if you had

configured the adaptation ambit correctly. Both of these commands provide

enough abstracts for you to accomplish this determination. Once you accept adapted any

errors (the best accepted actuality typos or incorrect IP addresses), you can then

check to see if admission are actuality fabricated and translated.The abutting footfall is to

determine if admission accept been fabricated by application the appearance conn detail command:

PIX1# appearance conn detail

1 in use, 1 best used

Flags: A - apprehension central ACK to SYN, a - apprehension alfresco ACK to SYN,

B - antecedent SYN from outside, D - DNS, d - dump,

E - alfresco aback connection, f - central FIN, F - alfresco FIN,

G - group, H - H.323, I - entering data, M - SMTP data,

O - outbound data, P - central aback connection,

q - SQL*Net data, R - alfresco accustomed FIN,

R - UDP RPC, r - central accustomed FIN, S - apprehension central SYN,

s - apprehension alfresco SYN, U - up

TCP outside:192.168.11.11/24 dmz:192.168.99.2/80 flags UIO

The workstation has accustomed a affiliation to our HTTP server on the

DMZ arrangement (as accepted by its destination port, 80). Notice that the workstation

established the affiliation to the accessible abode of this server rather than

to its centralized DMZ abode (192.168.1.2), which it cannot reach. Now we accept a

valid affiliation attempt, but has the adaptation taken abode as it should? To

determine that, we charge use the abutting command in our toolbox, appearance xlate detail:

PIX1# appearance xlate detail

1 in use, 1 best used

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,

o - outside, r - portmap, s - static

TCP NAT from DMZ:192.168.1.2/80 to outside:192.168.99.2/80 flags ri

This command displays a accepted advertisement of alive adaptation slots.The output

of this command confirms that our host’s attack to admission the Web server at

www.syngress.com

Troubleshooting and Performance Monitoring • Affiliate 10 583

192.168.99.2 has resulted in the actual adaptation to 192.168.99.2. Such

verification is decidedly important if you are accouterment casework that charge be

accessible by alfresco users.

There is one added command that we can use to accumulate advice about

our adaptation operations. It is a alter command and, as such, should be used

sparingly to conserve firewall resources.This command can serve two functions:

tracking and adaptation packet-level action amid hosts (such as the traffic

between our workstation and the Web server) or it can be acclimated if you charge to

determine absolutely which addresses charge to be translated and accepted access.The

latter allotment of this account needs to be explained added fully. Assuming that we did

not apperceive absolutely what the antecedent abode of our workstation was activity to be, it

would be accessible to abduction advice on its attempts to affix to the DMZ

Web server.The command that can accommodate us with the copious advice we

need is the alter packet command.The syntax of the command is as follows:

debug packet [src [netmask ]] [dst

[netmask ]] [[proto icmp] | [proto tcp [sport ]

[dport ]] | [[proto udp [sport ] [dport

]] [rx | tx | both]

In our case, the command we would absolutely access to acquisition out which

addresses are attempting to use our Web server is:

PIX1(config)# alter packet alfresco src 0.0.0.0 netmask 0.0.0.0 dst 192

.168.99.2 netmask 255.255.255.0 rx

This command captures packet abstracts that comes into the alfresco interface destined

for the Web server’s accessible IP address. Since we do not apperceive absolutely which

protocols (TCP, UDP, or ICMP) will be used, we accept autonomous not to specify one.

After we accept captured our data, we can again actuate which translation

parameters we charge to enter.

Failover Cable

Cisco provides a admirable affection alleged failover, wherein the configuration

and operations of one firewall are mirrored to a advancement firewall.

Failover is discussed in detail in Chapter 8. Back application accepted failover

with the failover cable, it is the cable that determines which firewall is

the primary and which is the accessory assemblage in a pairing. The cable

makes this assurance based on which end is acquainted into which

firewall.

As allotment of your PIX firewall troubleshooting knowledge, you need

to apperceive the pinout arrangement acclimated by this cable. To that end, we accept provided

a abundant schematic in Figure 10.16. If failover is not working, you

need to apperceive what your cable agreement should attending like back you

analyze it with a cable tester.

Although all the affairs in the DB15 adapter at anniversary end are

important, you can see that assertive affairs are cross-connected at each

end to analyze the primary end from the accessory end. The primary

firewall is configured by cross-connecting wire 11 (local bung detect) to

wire 12 (primary select). The accessory firewall is bent by crossconnecting

wire 12 (secondary select) to wire 5 (ground). Knowing the

wiring arrangement can accredit you to not alone to analysis your failover cable

but to additionally body one from blemish if necessary.

Failover Cable Pinout

Internal Loopback

Primary Secondary

Power Dectect

Foreign Bung Detect

Receive Data

Power Source

Transmit Data

Local Bung Detect

Plug Driver

Primary Select

Ground

Secondary Select

Checking Routing

The disability to ability a destination is a prime indicator of acquisition problems.

Such problems can be circuitous to troubleshoot, but application a structured approach

to abstract the account can affluence troubleshooting.The PIX firewall uses both static

and activating routing. For activating routing, the PIX supports alone RIP as a

routing protocol; otherwise, the acquisition advice it has is manually entered in

the anatomy of changeless routes.We accessible our acquisition analysis altercation with a

review of the assorted acquisition options accessible on the PIX firewall and how they

interact.

NOTE

The alone acquisition agreement accurate by the PIX firewall at this autograph is

RIP (version 1 and adaptation 2). RIP is discussed briefly in this affiliate as it

pertains to the PIX firewall.

www.syngress.com

574 Affiliate 10 • Troubleshooting and Performance Monitoring

First, let’s analysis the techniques you use to configure acquisition on your PIX,

starting with the simplest (default route) and alee to application RIP to learn

routes. In the simplest configuration, the PIX firewall is configured alone with a

static absence route. For example:

route alfresco 0.0.0.0 0.0.0.0 192.168.99.2 metric 1

This command states that all cartage that does not bout any of the local

interfaces will be beatific to the abutting hop of 192.168.99.2. Assuming this is the only

static avenue configured on the firewall in Figure 10.13, all cartage destined for a

non-local interface on the PIX firewall will be forwarded to RTR1 to ability its

final destination. A distinct changeless avenue such as this one works able-bodied for the simple

configuration in Figure 10.13, but what happens if we accept a added complex

architecture, such as the one credible in Figure 10.14?

Figure 10.14 shows that the cartage from PIX1 charge be forwarded to R2 to

reach 192.168.200.0/24. If we acclimated alone a absence route, any cartage for

192.168.200.0/24 would be beatific to RTR1 and would never ability its destination.

We can boldness this affair by abacus a changeless avenue on PIX1 so it knows area to

forward cartage destined to 192.168.200.0/24.This is able by adding

another (more specific) avenue to the PIX1 configuration:

route central 192.168.200.0 255.255.255.0 192.168.100.2 metric 2

www.syngress.com

Figure 10.13 Absence Avenue Example

192.168.99.4/30

PIX1

Default avenue is RTR1

RTR1

route alfresco 0.0.0.0 0.0.0.0 192.168.99.2 metric 1

192.168.99.2/30

192.168.99.1/30

Internet

Troubleshooting and Performance Monitoring • Affiliate 10 575

In accession to application these changeless methods for routing, the PIX firewall supports

dynamic acquisition application RIP adaptation 1 or adaptation 2. Unlike the advanced range

of options accessible for RIP on Cisco routers, the RIP commands on the PIX

firewall are absolute sparse.

[no] rip default

[no] rip passive

[no] rip adaptation {1 | 2}

[no] rip affidavit [text | md5] key

We will not absorb an disproportionate bulk of time debating the claim of RIP

as a acquisition protocol. Suffice to say, the absence keyword agency that the PIX firewall

advertises a absence avenue out that interface.The acquiescent keyword configures

RIP to accept on, but not acquaint out, a accurate interface.The adaptation keyword

is acclimated to set the adaptation of RIP that the PIX firewall will use. RIP aeon can

authenticate anniversary added to ensure that they accelerate and accept updates from legitimate

peers. RIP is enabled on a per-interface basis.

In Figure 10.15, we accept replaced our statically baffled arrangement with RIP

version 2. Notice how this backup has afflicted the acquisition picture, enabling

the PIX firewall to bigger acclimate to arrangement changes.

www.syngress.com

Figure 10.14 Changeless Routes

Internet

PIX1

Default avenue is R1

RTR1

route alfresco 0.0.0.0 0.0.0.0 192.168.99.2 metric 1

route central 192.168.200.0 255.255.255.0 192.168.100.2 metric 2

192.168.99.2/30

192.168.99.1/30

RTR2

192.168.100.1/30 192.168.100.2/30

192.168.200.0/24

576 Affiliate 10 • Troubleshooting and Performance Monitoring

On PIX firewalls, RIP does not acquaint from interface to interface. In

Figure 10.15, PIX1 is active for updates on its DMZ arrangement and is learning

any routes that ability be present abaft that network. As a result, PIX1 will

know how to ability those networks. Back the acquiescent keyword is used, PIX1 will

not acquaint any RIP routes out its DMZ interface. However, PIX1 will not

advertise those routes to PIX2 or RTR1.This is a limitation of RIP in the PIX

firewall that needs to be bound by abacus a absence avenue to PIX2 (which our

configuration has) and a changeless avenue on R1 to ability any networks abaft PIX1’s

DMZ interface.What PIX1 will acquaint is any of its anon affiliated interfaces

and absence routes, so R1 and PIX2 will be able to ability any anon connected

network on PIX1. PIX2 will be able to ability the networks abaft PIX1’s

DMZ interface back PIX1 is the absence avenue for PIX2.

This limitation of RIP ability not be such a limitation. In absolute practice, any

addresses that leave or access PIX1 accompanying to the alfresco interface would actually

be translated. In the case of RTR1, it does not charge to apperceive about the networks

behind PIX1’s DMZ arrangement back those addresses would be translated to a

public address, which RTR1 would apperceive to accelerate to PIX1 for processing.

www.syngress.com

Figure 10.15 RIP Routing

DMZ

192.168.200.0/24

DMZ

Default avenue is abstruse from R1

rip central default

rip central adaptation 2

rip alfresco adaptation 2

rip central affidavit argument countersign 2

rip DMZ passive

route central 192.168.200.0 255.255.255.0 192.168.100.2 metric 1

INSIDE

192.168.100.0/30

PIX2

192.168.1.0/24

OUTSIDE

192.168.99.0/30

rip central adaptation 2

rip central affidavit md5 countersign 2

Internet

RTR1

PIX1

Troubleshooting and Performance Monitoring • Affiliate 10 577

One botheration is absolutely credible in our agreement in Figure 10.15.There is

an affidavit conflict amid PIX1 and PIX2. PIX1 is application a bright text

password for authentication, while PIX2 is application MD5. Although the countersign is

the aforementioned on both sides, the encryption abode is different.The aftereffect is that

RIP acquisition will not assignment amid them, as altercation on the password

encryption abode will anticipate the aeon from accepting to anniversary other,

which will anticipate the barter and accepting of acquisition updates.

Another abeyant admiration that you charge to be active for is conflicting

versions of RIP.The best cogent aberration is that RIP adaptation 1 broadcasts

to an all-hosts advertisement abode of 255.255.255.255.Version 2 about multicasts

to the aloof IP multicast abode of 224.0.0.9. Additionally, adaptation 2 supports

authentication, admitting adaptation 1 does not.When troubleshooting routing

problems with RIP, attending at the agreement of the accessories area acquisition is not

working, and analysis to accomplish abiding that all your acquisition aeon accede on the version.

If you are application RIP adaptation 2 with authentication, ensure that the aforementioned password

and the aforementioned encryption adjustment are acclimated on both. Support for RIP version

2 was alien in PIX software adaptation 5.1. Prior versions cannot

interoperate with RIP adaptation 2 speakers, so accumulate the RIP adaptation differences in

your apperception as you troubleshoot. Support for RIP adaptation 2 multicast was introduced

in adaptation 5.3. Prior versions could alone handle broadcasts.

Having advised how the PIX gets its routes, we now about-face our absorption to

troubleshooting back the PIX is clumsy to ability a accurate destination or when

it does not accept a avenue to a accurate destination.Your accoutrement of best for

troubleshooting acquisition issues on the PIX are primarily appearance route, appearance rip, and

ping . Actuate if there is a reachability botheration by attempting to ping the destination.

If that fails, use appearance avenue to actuate if there is a avenue (static or RIP)

to ability the network.You can use the appearance rip command to affirm your

dynamic acquisition configuration.The ping command should be a litmus analysis to

verify that the destination cannot be reached.The syntax of the ping command is

as follows:

ping []

For example:

PIX1# ping 192.168.99.2

192.168.99.2 acknowledgment accustomed — 20ms

Does the PIX accept a absence route, a changeless route, or alike a dynamically

learned route? Analysis your acquisition table with the appearance avenue command. For

example:

PIX1# appearance route

outside 192.168.99.0 255.255.255.252 192.168.99.1 1 CONNECT static

inside 192.168.100.0 255.255.255.252 192.168.100.1 1 CONNECT static

DMZ 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static

In our case, 192.168.99.2 is on our anon affiliated alfresco network.To

perform a side-by-side allegory of RIP peers, use the appearance rip command. In

Figure 10.17, we are attractive at the RIP agreement of PIX1 and PIX2; notice

how the mismatches amid the versions and affidavit abode are

readily apparent.

Figure 10.17 Identifying RIP Agreement Errors

PIX1# appearance rip

rip central default

rip central adaptation 1

rip alfresco adaptation 2

rip central affidavit argument cisco1 2

rip DMZ passive

PIX2# appearance rip

rip central adaptation 1

rip alfresco adaptation 1

rip central affidavit md5 cisco2 2

rip DMZ passive

The aftereffect of this agreement is that RIP will not assignment amid PIX1 and

PIX2 back they do not accede on any of the parameters. A adapted configuration

that will assignment is provided in Figure 10.18.

Figure 10.18 RIP Agreement Fixed

PIX1# appearance rip

rip central default

rip central adaptation 2

rip alfresco adaptation 2

www.syngress.com

Continued

580 Affiliate 10 • Troubleshooting and Performance Monitoring

rip central affidavit md5 cisco2 2

rip DMZ passive

PIX2# appearance rip

rip central adaptation 2

rip alfresco adaptation 2

rip central affidavit md5 cisco2 2

rip DMZ passive

We achieve our altercation of RIP with the bright rip command, which

should alone be acclimated back you accept fabricated a audible accommodation that you no longer

need to use RIP.This command removes all absolute RIP commands and parameters

from the configuration.

Checking Addressing

As with any IP device, unless basal IP acclamation and operation are configured

correctly and working, none of your PIX firewall troubleshooting efforts

regarding routing, admission lists, and adaptation will matter.This point cannot be

overstressed: Acclamation charge be actual in adjustment for the PIX firewall to function.

Figure 10.10 shows PIX1 and PIX2 affiliated to anniversary other.

www.syngress.com

572 Chapter 10 • Troubleshooting and Performance Monitoring

In the figure, there is an acclamation botheration on the LAN abutting the two

firewalls (which is labeled DMZ in the configuration). For starters, PIX1 has a

subnet affectation of /30, while FW2 has a affectation of /29 for the DMZ network

(192.168.99.0), a accepted arrangement amid them.This is accepted application the

show ip abode command on both firewalls. Notice the differences accent in

the command achievement apparent in Amount 10.11.

Figure 10.11 IP Abode Configuration

PIX1# appearance ip address

System IP Addresses:

ip abode alfresco 192.168.99.5 255.255.255.252

ip abode DMZ 192.168.99.1 255.255.255.252

Current IP Addresses:

ip abode alfresco 192.168.99.5 255.255.255.252

ip abode DMZ 192.168.99.1 255.255.255.252

PIX2# appearance ip address

System IP Addresses:

ip abode alfresco 192.168.99.9 255.255.255.252

ip abode DMZ 192.168.99.2 255.255.255.248

Current IP Addresses:

ip abode alfresco 192.168.99.9 255.255.255.252

ip abode DMZ 192.168.99.2 255.255.255.248

The fix actuality is artlessly to actual the affectation on PIX2. As on Cisco routers, the

show interface command can additionally be acclimated to analysis acclamation on your PIX firewall,

as apparent in Amount 10.12.

www.syngress.com

Figure 10.10 IP Acclamation Problem

RTR1

192.168.99.4/30 192.168.99.8/30

192.168.99.1/30

PIX1 PIX2

DMZ 192.168.99.2/29

Troubleshooting and Performance Monitoring • Chapter 10 573

Figure 10.12 Abode Verification Application the appearance interface Command

PIX1# appearance interface

interface ethernet0 "DMZ" is up, band agreement is up

Hardware is i82559 ethernet, abode is 0008.e317.ba6b

IP abode 192.168.99.1, subnet affectation 255.255.255.252

MTU 1500 bytes, BW 100000 Kbit bisected duplex

2 packets input, 258 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 ascribe errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

11 packets output, 170 bytes, 0 underruns, 0 unicast rpf drops

0 achievement errors, 0 collisions, 0 interface resets

0 babbles, 0 backward collisions, 0 deferred

0 absent carrier, 0 no carrier

input chain (curr/max blocks): accouterments (128/128) software (0/1)

output chain (curr/max blocks): accouterments (0/2) software (0/1)

Regardless of the adjustment you use, verify that all interface IP addresses are

correct afore proceeding any added in your troubleshooting efforts. Incorrect

addressing will anticipate avant-garde appearance of the PIX firewall from working, even

if you configure them correctly. After all, all cartage charge canyon through at atomic two

interfaces, and the interfaces charge be addressed correctly.

Troubleshooting Connectivity

In adjustment to accomplish its duties, a PIX firewall charge be able to adeptness its destinations.

Its adeptness to canyon cartage from antecedent to destination is afflicted by factors

such as routing, abode translation, admission lists, and so on.Translation can be

www.syngress.com

Figure 10.9 Multimode Fiber Optic Cable

50 or 62.5/125

50 or 62.5

125

Glass Core

Refracted Light

from End to End

Multimode Fiber Optic

(Used by PIX Firewall Gigabit Ethernet Interfaces)

Troubleshooting and Performance Monitoring • Chapter 10 571

particularly analytical back all addresses charge be translated in adjustment for centralized and

external networks to acquaint with anniversary other.

Get in the addiction of active bright xlate to bright any accepted translations

whenever you accomplish a change to NAT, global, static, admission lists, conduits, or anything

that depends on or is allotment of translation. Back adaptation is binding on

PIX firewalls, this covers aloof about any affection you can configure. Failure to

delete absolute translations will account abrupt behavior.

Remember how interfaces of altered aegis levels assignment with anniversary other.

Traffic from a college aegis akin to a lower aegis akin is acceptable by

default but still requires translations to be set up.Traffic from a lower security

level to a college aegis akin (such as alfresco to inside) requires an admission account or

conduit, as able-bodied as agnate translations.

We covered syslog abundantly in Chapter 6, but it bears repeating that you

should get in the addiction of blockage log messages. Syslog provides an ongoing,

real-time address of activities and errors—information that can be basic to troubleshooting

success.The advice syslog provides can advice you booty your aboriginal or

next step, so ensure that you advance your syslog account habits.This can be particularly

useful in anecdotic errors with admission lists and translation. For example,

if a host on a lower aegis akin interface wants to acquaint with a host on

a college aegis akin interface and adaptation is enabled for it, but no conduit

or admission account is configured, the afterward bulletin will be logged:

106001: Inbound TCP affiliation denied from x.x.x.x/x to x.x.x.x/x

This is your aboriginal clue that you charge an admission account or aqueduct to admittance this

access. If the about-face is the case (access account or aqueduct is present, but no translation

is configured), the afterward bulletin will be logged:

305005: No adaptation accumulation begin for...

For added advice about syslog bulletin numbers and descriptions, see

www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/syslog/

pixemsgs.htm.

Troubleshooting PIX Cabling

After you accept absolute that the PIX accouterments is functional, your abutting step

in troubleshooting should be to approve cabling. Unlike routers, which use a

wide array of cables, the PIX firewall has a almost bound cardinal of cable

types that we affliction about in the ambience of troubleshooting: Ethernet and failover

cables.

Certain models of the PIX firewall abutment Token Ring and FDDI networks

in earlier software versions (up to adaptation 5.3). Cisco has discontinued the auction of

Token Ring and FDDI for PIX firewalls starting August 2001 and June 2001,

respectively. Abutment is slated to cease in August 2006 and June 2006, respectively.

We do not altercate Token Ring or FDDI cables in this book.

Regardless of the cables you are troubleshooting, you should accept a structured

approach.Table 10.2 summarizes some accomplish you should aboriginal booty to check

your cabling. Ensure that you accomplish these accomplish to abstain missing a minor

cabling annihilate that could be causing a above problem.

www.syngress.com

568 Chapter 10 • Troubleshooting and Performance Monitoring

Table 10.2 Cable Troubleshooting Checklist

Problem Troubleshooting Step

Correct cable affiliated to the Analysis cable and verify aperture and port

correct interface? number.

Correct end of cable affiliated Failover cable only: Primary end to the

to actual interface? primary firewall and accessory end to the

secondary firewall.

Correct cable blazon affiliated Cross cables, rollover cables, and so on to

to equipment? the actual ports.

Cable pinouts correct? Visually audit and analysis with cable tester.

Cable absolute as good? Analysis with a cable tester or bandy with known

good accessories and test.

All PIX firewalls abutment 10Mbps or 100Mbps Ethernet, but alone the highend

models such as 525 and 535 abutment Gigabit Ethernet.This makes sense

when you accede the accommodation accessible on anniversary model:The lower-end models

would be afflicted by the accession of alike a distinct Gigabit Ethernet interface.

As of this writing, the PIX 535 provides 9Gbps of clear-text throughput, the

525 provides 360Mbps, the 515 provides 188Mbps, the 506 provides 20Mbps, and

the 501 provides 10Mbps. At the concrete layer, the primary affair you will face is

to ensure that the actual Ethernet cables are actuality acclimated and that they are wired

correctly. Figure 10.7 shows the pinouts that you should be application for Ethernet

and Fast Ethernet cables.

www.syngress.com

Figure 10.7 Ethernet Cable Pinouts

White-Green

Green

White-Orange

Blue

White-Blue

Orange

White-Brown

Brown

568A

Cable

White-Orange

Orange

White-Green

Blue

White-Blue

Green

White-Brown

Brown

568B

RJ45 10/100Base Ethernet

Pin 1

Cable

Pin 1

Troubleshooting and Performance Monitoring • Chapter 10 569

Two base schemes for the RJ45 accepted are acclimated for 10/100 Ethernet:

TA568A and TA568B credible in Figure 10.7. It is important that your cable

adhere to one of these standards to anticipate arrest (crosstalk). If you were to

dismantle a RJ45 cable, you would see that there are four pairs of wires. In each

pair, the two affairs are askance about anniversary added to abbreviate crosstalk. If you

were to aces affairs at accidental and coil them into the RJ45 adapter to make

an Ethernet cable, affairs are you would acquaintance problems with your cables.

The base arrangement of the TA568A/B accepted is optimized to anticipate such

interference.

The action of troubleshooting cabling is almost accessible because there are

numerous cable testers on the market, alignment from simple pin-checking devices

(like the ones you can acquisition at www.copperandfibertools.com/testers.asp) to

expensive, full-featured testers such as those offered by Accident (www.fluke.com).

The time that these accessories save able-bodied justifies their antecedent cost.

The aboriginal footfall in acceptance 10/100 Ethernet chestnut cables is to visually inspect

the cable for breaks. Analysis the base pinouts adjoin Figure 10.7. If they match

and arise to be in acceptable concrete shape, the abutting footfall is to analysis the cable application a

cable tester. Most cable testers will acquiesce you to map the wiring; pin mismatches

are a accepted problem. If you still accept problems with afterwards it passes the cable

tester, try application a altered cable. Affairs are, you accept a attenuate bad mix of plastic

and metal agreement that went into the authoritative of that cable and it is interfering

with the cable’s adeptness to carriage electrons. If you do not accept a cable

tester and are not abiding of the cable, alter it.

PIX firewall models 525 and 535 abutment full-duplex Gigabit Ethernet (GE).

The GE interfaces use SC multimode cilia optic cables: one cilia for receive

and the added for transmit, as credible in Figure 10.8. It is important that you cable

the wire with the actual cable to the actual connector.

www.syngress.com

Figure 10.8 Gigabit Ethernet SC Cilia Optic Connector

Multimode Cilia Optic Cable

Usually orange.

Marked with 62.5/125

LINK

Notched and slotted

connectors

570 Chapter 10 • Troubleshooting and Performance Monitoring

Fortunately, the SC adapter Cisco uses prevents us from inserting the cable

incorrectly.The adapter on the cable is alveolate to fit the slotted jack on the

interface card.You charge to accept a little about cilia optic cables to effectively

use them with your PIX firewall. Cilia optic is either distinct approach or

multimode.The PIX firewall GE interfaces use multimode fiber, which refracts

light, as credible in Figure 10.9.

The cilia optic industry adheres actual carefully to its standards. As a result, usually

you can visually actuate whether you accept a multimode or single-mode

fiber optic cable absorbed by its color. Single-mode cables are chicken and have

markings bottomward their abandon advertence their amplitude in microns. Multimode fiber

optic cable acclimated by PIX firewalls is orange and is numerated with either 50 or

62.5 microns, advertence the admeasurement of its bottle amount bottomward which ablaze is sent.The

cladding arranged in the bottle amount is the aforementioned admeasurement for both cables: 125 microns.

This is a accepted aphorism of deride only; some manufacturers action custom colors or

do not attach to the accepted blush scheme.

As with twisted-pair cable for Ethernet and Fast Ethernet, you can use a cable

tester to verify your cilia optic cable. Unlike chestnut cables, cilia optic cables are

very cruel of abortion to attach to bound specifications. If you fabricated the cable

that you are application and it is not working, allowance are actual acceptable that you fabricated an

error (poor crimping, bereft polishing, or the like). It is in such situations

that the amount of a acceptable cable tester becomes apparent. Unless you are a certified

fiber optic technician, it is a acceptable abstraction to leave the cilia optic cable authoritative to

the professionals who specialize in it.

Troubleshooting PIX Hardware

Knowing the accommodation of anniversary PIX firewall archetypal can be accessible in acceptance your

configuration and troubleshooting. Such adeptness can accelerate your problemsolving

process from the access by enabling you to actuate how to interpret

the affection you are witnessing. If you use the amiss firewall archetypal for the

wrong function, no bulk of troubleshooting is action to accomplish it work.

It can be said that your troubleshooting absolutely starts with your network

design and aegis planning.There are several models of the PIX firewall, each

capable of acknowledging assertive numbers and types of arrangement interfaces. Each

model has its own aerial absolute on the cardinal of best accompanying connections,

as apparent in Figure 10.1.The specific models were discussed at breadth in

Chapter 2, so in Table 10.1 we accommodate alone a snapshot of anniversary model.

Table 10.1 PIX Firewall Archetypal Appearance and Capabilities

Model Interface Types Best Cardinal Failover

Supported of Interfaces Support

501 Ethernet Anchored 10BaseT

Fast Ethernet Four-port 10/100 about-face No

506 Ethernet Two anchored 10/100 Ethernet No

End of Sale Fast Ethernet

506E Ethernet Two anchored 10/100 Ethernet No

Fast Ethernet

515 Ethernet Two anchored 10/100 Ethernet Yes

End of Sale Fast Ethernet Two amplification slots

Maximum: Six ports

www.syngress.com

Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 557

Model Interface Types Best Cardinal Failover

Supported of Interfaces Support

515E Ethernet Two anchored 10/100 Ethernet Yes

Fast Ethernet Two amplification slots

Maximum: Six ports

520 Ethernet Two anchored 10/100 Ethernet Yes

End of Sale Fast Ethernet Six interface slots

Maximum: Six ports

525 Ethernet Two anchored 10/100 Ethernet Yes

Fast Ethernet Four interface slots

Gigabit Ethernet Maximum: Eight ports

535 Ethernet Nine interface slots Yes

Fast Ethernet Maximum: 10 ports

Gigabit Ethernet

The “E” at the end of assertive models indicates a faster processor and wider

backplane, acceptation the firewall can handle greater cartage loads. Failover is

supported alone on PIX firewall models 515 and up, article you charge to

remember in your planning.

It is important to apperceive whether the PIX firewall you are application is adequate

for the demands planned for it. For example, if you accept a arrangement on which

100,000 accompanying access will be requested through the firewall and you

are application a PIX 501, the firewall will anon become chock-full and be virtually

unusable. In this scenario, no bulk of troubleshooting and configuration

will accredit the PIX 501 to abutment the load.The accommodation of anniversary firewall model

is important because it determines the bulk that can be placed on that firewall.

Overloading your firewall is an allurement to crashes or congestion. Underloading

a PIX firewall, although abundant for performance, can be careless in agreement of

unused accommodation and budgetary acknowledgment on investment. For example, if you accept a

network on which there will never be added than 200 accompanying connections,

installing a PIX 535 agency that you will not compensate your accouterments or software

investment, although achievement will be fantastic.

The altered models abutment altered types of interfaces and in specific

quantities, as apparent in Table 10.1. Not apparent in the table is the actuality that Token

Ring and FDDI are additionally accurate by several of the models. Cisco accomplished PIX

firewall abutment for Token Ring and FDDI networks, starting with PIX software

version 5.3. As a aphorism of thumb, do not mix and bout interfaces: Configure the

PIX firewall as all Token Ring, all Ethernet, or all FDDI. Maintaining such

www.syngress.com

Table 10.1 Continued

558 Affiliate 10 • Troubleshooting and Achievement Monitoring

network abstention reduces the accountability on the PIX firewall back it will not accept to

translate amid the altered LAN formats. Alone models 515 up and support

interfaces added than Ethernet.

The PIX firewall has a arrangement for anecdotic its arrangement interfaces, which

you charge to accept in adjustment to troubleshoot the adapted allotment of hardware. Not

knowing how interfaces are abundant and articular can absorb valuable

time that could contrarily be acclimated for troubleshooting. Figure 10.2 shows how to

“read” the arrangement interface identification scheme. Interface agenda numbering

starts with 0 at the right, with agenda aperture numbers accretion as you go left.The

slot in which the agenda is installed determines the cardinal that is accustomed to that

card. Modular ports are numbered sequentially starting at the top, again larboard to

right, starting with 0 for the anchorage at the larboard of the advanced card.

For example, the leftmost anchorage on an Ethernet interface agenda installed in Slot

2 would be articular as Ethernet 10. Anchored interfaces are aboriginal numerically

starting on the adapted at 0, again the abutting anchored interface to the larboard is 1.The first

installed arrangement interface agenda anchorage would be Ethernet 2. It is important that

you apprentice this arrangement not alone to analyze the specific cards but to additionally ensure

that your agreement and troubleshooting efforts focus on the actual interface.

The anamnesis architectonics of the PIX firewall is somewhat agnate to that of

Cisco routers with the barring that there is no NVRAM memory.The PIX

uses beam anamnesis to abundance the firewall operating arrangement (image) as able-bodied as the

configuration file. Capital anamnesis is acclimated to handle abstracts actuality processed. As a rule

of thumb, the beam anamnesis should be big abundant to authority the software image

and the configuration. Of all the anamnesis types, capital anamnesis can potentially

have the best cogent appulse on achievement back it is the alive amplitude of

the firewall. Capital anamnesis is acclimated to abundance abstracts that is cat-and-mouse to be candy or

forwarded.You can never accept too much, and you will absolutely apprehension when

you accept too little, because packet accident will access or IPsec cartage will become

lossy or laggardly.

Each firewall has beheld indicators of operation in the anatomy of light-emitting

diodes (LEDs).These LEDs alter by model, but some are accepted to all. Figure

10.3 shows several PIX firewall LEDs and their meanings. Nurturing your

knowledge of these LEDs will accredit you to alpha your Band 1 troubleshooting

from the outside.

www.syngress.com

Troubleshooting and Achievement Monitoring • Affiliate 10 559

www.syngress.com

Figure 10.2 PIX Firewall Interface Numbering

PIX Models 515

and above.

Slot determines the number, with everyman port

number at larboard and accretion to the right.

Ports are numbered from top, larboard to right,

starting everyman at the advanced left.

Fixed interfaces are numbered first. Fixed

PIX Models 506

and below.

Fixed anchorage agreement only!

Ports are numbered low to high,

right to left.

2 3 4 5

6 7 8 9

Fixed

Figure 10.3 PIX Firewall LED Indicators

100Mbps

FDX

LINK

POWER

ACT (Rear)

NETWORK

Lit: 100Mbps.

Unlit: 10Mbps.

Lit: abounding duplex.

Unlit: half-duplex.

Lit: arrangement is casual data.

Unlit: no arrangement traffic.

Lit: interface is casual traffic.

Unlit: interface is not casual traffic.

Lit: Assemblage has power.

Unlit: Assemblage has no power.

Flashing: >1 interface is casual traffic.

Unlit: No interfaces are casual traffic.

ACT (Front) PIX Archetypal Determines Meaning

Flashing: Angel is loaded.

Lit: Alive assemblage in failover pair.

Unlit: Standby assemblage in failover pair.

560 Affiliate 10 • Troubleshooting and Achievement Monitoring

Study the advice in Figure 10.3.The LEDs can be lit, unlit, or flashing,

all of which announce specific conditions.The ACT LED, back it can arise on

both the advanced and rear of the PIX, deserves adapted attention. On assertive models,

such as the PIX 506 and 506E, the advanced LED flashes to announce that the PIX

software angel has been loaded.When you’re troubleshooting, this indicator

would be acceptable to acquaint you if your software angel has been loaded correctly

or not at all. On higher-end models such as the 515 and up, the aforementioned LED indicates

which PIX firewall is alive and which is standby in a failover pair.This

information can be actual advantageous in free if your failover agreement is

cabled correctly.

During the PIX cossack sequence, the power-on self-test (POST) can accommodate a

wealth of advice to advice actuate from the access whether the PIX firewall

is advantageous or ill.We use an archetype cossack arrangement (see Figure 10.4) to guide

our discussion.

Figure 10.4 PIX Firewall Bootup

CISCO SYSTEMS PIX-501

Embedded BIOS Adaptation 4.3.200 07/31/01 15:58:22.08

Compiled by morlee

16 MB RAM

PCI Device Table.

Bus Dev Func VendID DevID Class Irq

00 00 00 1022 3000 Host Bridge

00 11 00 8086 1209 Ethernet 9

00 12 00 8086 1209 Ethernet 10

Cisco Secure PIX Firewall BIOS (4.2) #6: Mon Aug 27 15:09:54 PDT 2001

Platform PIX-501

Flash=E28F640J3 @ 0x3000000

Use BREAK or ESC to arrest beam boot.

Use SPACE to actuate beam cossack immediately.

Reading 1536512 bytes of angel from flash.

#########################################################################

16MB RAM

Flash=E28F640J3 @ 0x3000000

www.syngress.com

Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 561

BIOS Flash=E28F640J3 @ 0xD8000

mcwa i82559 Ethernet at irq 9 MAC: 0008.e317.ba6b

mcwa i82559 Ethernet at irq 10 MAC: 0008.e317.ba6c

----------------------------------------------------------

|| ||

|||| ||||

..:||||||:..:||||||:..

c i s c o S y s t e m s

Private Internet eXchange

---------------------------------------------------------

Cisco PIX Firewall

Cisco PIX Firewall Adaptation 6.2(2)

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Limited

IKE peers: 5

****************************** Warning *******************************

Compliance with U.S. Export Laws and Regulations - Encryption.

<<>>

******************************* Warning *******************************

Restricted Rights Legend

www.syngress.com

Figure 10.4 Continued

Continued

562 Affiliate 10 • Troubleshooting and Achievement Monitoring

<<>>

Cryptochecksum(unchanged): 38a9d953 0ee64510 cb324148 b87bdd42

Warning: Alpha and End addresses overlap with advertisement address.

outside interface abode added to PAT pool

Address ambit subnet is not the aforementioned as central interface

The cossack arrangement identifies the adaptation of the PIX operating arrangement loaded

on firmware acclimated to initially boot. In this example, it is 4.3.200.This is important

to apperceive because this is the OS that will be acclimated if there is no software angel in

flash memory. Apprehension that the aboriginal band identifies the archetypal of firewall—information

that can be advantageous if you are blockage the firewall remotely.

After the POST is complete, the software angel installed in beam is loaded

and takes over from that point, as adumbrated by the “Reading 1536512 bytes of

image from flash” line.The PIX firewall runs its checksum calculations on the

image to validate it.The OS in the firmware is additionally validated.This is a band of

protection adjoin active a besmirched operating system. In Figure 10.4, the

image loaded from beam anamnesis recognizes two Ethernet interfaces present on

this assemblage and displays the MAC addresses associated with them.

The cossack affectation provides advice about the PIX firewall hardware.

Figure 10.4 shows that this accurate assemblage has 16MB of capital memory, something

that can be a achievement factor, as ahead discussed. Added types of hardware

such as interfaces (quantity and type) and associated IRQ advice are identified

as well.

Some actual advantageous advice about the appearance accurate by this firewall

can save you endless hours of frustration. For starters, the exact adaptation of the

operating arrangement is identified—version 6.2(2), in this case. Added important, the

features accurate by this firewall are acutely enumerated. For example,VPN-DES

is supported, admitting VPN-3DES is not.This makes faculty back we are attractive at

a low-end PIX 501 with a bound authorization for 10 hosts and 5 IKE peers.This firewall

supports cut-through proxy and URL filtering.

The aftermost few curve of the cossack awning can highlight errors that the operating

system encountered back it parsed the agreement file.You should abstraction these

messages and actuate if and how you charge fix them. In our example, we have

several problems with the way we accept allocated our IP addresses.We additionally know

that the alfresco interface abode is now allotment of the PAT pool, which is something

that we adeptness or adeptness not want, depending on our accurate situation.

www.syngress.com

Figure 10.4 Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 563

Once the firewall has completed booting, you can abide your hardware

verification efforts application commands provided by Cisco.These are several commonly

used commands to analysis the agreement and bloom of your PIX firewall

at Band 1. Figure 10.5 illustrates the appearance adaptation command, which provides a

quick snapshot of your PIX firewall. Advice provided by this command

includes interface information, consecutive numbers, and so on, as apparent in the command

output in Figure 10.5. Use this command back you charge information

about your firewall’s software and hardware. Some of the achievement is agnate to what

you saw during the cossack sequence.

Figure 10.5 The appearance adaptation Command

PIX1> appearance version

Cisco PIX Firewall Adaptation 6.2(2)

Cisco PIX Device Manager Adaptation 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

PIX1 up 23 secs

Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz

Flash E28F640J3 @ 0x3000000, 8MB

BIOS Beam E28F640J3 @ 0xfffd8000, 128KB

0: ethernet0: abode is 0008.e317.ba6b, irq 9

1: ethernet1: abode is 0008.e317.ba6c, irq 10

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Disabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: 10

Throughput: Limited

IKE peers: 5

www.syngress.com

Continued

564 Affiliate 10 • Troubleshooting and Achievement Monitoring

Serial Number: 406053729 (0x1833e361)

Running Activation Key: 0xc598dce8 0xf775fc1c 0xbd76cee8 0x3f41e74b

Configuration aftermost adapted by at 06:28:16.000 UTC Thu Feb 7 2036

The aboriginal allotment of this command identifies the adaptation of OS that is loaded and

being acclimated as able-bodied as the adaptation of PIX Device Manager (PDM). Abutting in the

output you see the bulk of time that has delayed back the assemblage was powered

on.This advice is advantageous because it can appearance if your PIX firewall was

rebooted or power-cycled recently.The appearance adaptation command gives additional

details such as the model, bulk of accessible memory, and CPU acceleration and type.

It additionally tells you the bulk of beam and BIOS memory.When troubleshooting,

you should apperceive this advice in adjustment to actuate if the demands placed

on the assemblage are reasonable.This assemblage has two Ethernet interfaces; apprehension that their

MAC addresses are enumerated.The aftermost allotment of the achievement provides the serial

number of this assemblage as able-bodied as the activation key acclimated to actuate the image.

Although it is not analytical to troubleshooting, it adeptness be all-important to provide

this advice to Cisco TAC should you charge to alarm them for assistance.

When you’re troubleshooting, the appearance adaptation command should be one of the

first (if not the first) commands that you assassinate to access a basic inventory

of the PIX firewall. It is abnormally basic that you apperceive which appearance are

supported by the firewall afore you actuate troubleshooting; otherwise, you could

squander admired time aggravating to actuate why an bottomless featured is not

working.When attractive at the achievement of the appearance adaptation command, ensure that

you agenda the MAC addresses of the interfaces; this advice can be advantageous in

resolving Band 2 to Band 3 address-mapping issues.

The appearance interface command apparent in Figure 10.6 is a apparatus that can provide

information applicative to altered layers of the troubleshooting process. It provides

details on the arrangement interfaces. As with Cisco routers, this command

enables you to analysis the accompaniment of an interface and actuate if it is operational.

You can additionally see what anniversary interface is labeled.This command and its associated

output are discussed afterwards in the chapter.

Figure 10.6 The appearance interface Command

interface ethernet1 “inside” is up, band agreement is up

Hardware is i82559 ethernet, abode is 0008.e317.ba6c

www.syngress.com

Figure 10.5 Continued

Continued

Troubleshooting and Achievement Monitoring • Affiliate 10 565

IP abode 10.10.2.1, subnet affectation 255.255.255.0

MTU 1500 bytes, BW 10000 Kbit abounding duplex

4 packets input, 282 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 ascribe errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

4 packets output, 282 bytes, 0 underruns

0 achievement errors, 0 collisions, 0 interface resets

0 babbles, 0 backward collisions, 0 deferred

0 absent carrier, 0 no carrier

input chain (curr/max blocks): accouterments (128/128) software (0/1)

output chain (curr/max blocks): accouterments (0/1) software (0/1)

The achievement of the appearance interface command has advantageous account to the

troubleshooting process. However, if you do not apperceive how to apprehend the output,

the deluge of advice presented will be of little value. One of the first

things you charge to actuate with this command is if you appetite a particular

interface to serve a accurate network. In our example, Ethernet 1 is considered

the “inside” network. As a allotment of our troubleshooting, we would ensure that

Ethernet 1 is absolutely affiliated to our “inside” network.The MAC address

assigned to this interface is listed, as is the blazon of interface (Ethernet).

The best manual assemblage (MTU) specifies the best packet size

that this interface can canyon afterwards accepting to fragment it.Anything beyond will be

broken into the adapted cardinal of frames to accredit access through this

interface.This can be an affair if you accept accessories that accelerate ample frames.This command

also verifies the bifold operation of the interface; anamnesis that the interface

also has a full-duplex LED that you can use. Bifold mismatches amid the PIX

and LAN switches are a accepted botheration and can be a headache. Ensure that the

speed and bifold settings bout on the PIX firewall and the switch.

There is a packet adverse for entering and outbound packets.This indicator

tracks how abounding packets accept transited this interface and the absolute cardinal of

bytes that these packets constituted.The “no buffer” adverse is abnormally important

to troubleshooting because it indicates the cardinal of times that there were

no buffers to abundance admission packets until they could be candy by the CPU.

If this adverse increments, the interface is accepting added packets than it can

handle. In this case, you charge to advancement to a higher-capacity interface or throttle

back the admission traffic. Anniversary interface additionally has counters for tracking broadcasts

and errors:

www.syngress.com

Figure 10.6 Continued

566 Affiliate 10 • Troubleshooting and Achievement Monitoring

broadcasts Packets beatific to the Band 2 advertisement abode of this interface.

runts Packets accustomed that were beneath than Ethernet’s 64-byte minimum

packet size.

giants Packets accustomed that were greater than Ethernet’s 1518-byte

maximum packet size.

CRC Packets that bootless the CRC absurdity check.Test your cables and also

ensure there is no crosstalk or interference.

anatomy Framing errors in which an incorrect Ethernet anatomy blazon was

detected. Accomplish abiding you accept the adapted anatomy blazon configured on

all your hosts.

beat Ascribe bulk exceeded the interface’s adeptness to buffer.

ignored/abort These counters are for approaching use.The PIX does not

currently avoid or arrest frames.

collisions Cardinal of transmitted packets that resulted in a collision.

On a half-duplex interface, collisions do not necessarily announce a

problem, back they are a actuality of Ethernet life.

underrun Indicates that the PIX was too afflicted to get abstracts fast

enough to the arrangement interface.

babbles This is an bare counter. Babbles announce that the transmitter

has been on the interface best than the time taken to address the

largest frame.

backward collisions Collisions that occurred afterwards the aboriginal 64 bytes of transmission.

Unlike accustomed collisions, these announce a problem. Usually late

collisions are acquired by adulterated cabling, continued cables beyond specifiication,

or an boundless cardinal of repeaters.

deferred Packets that had to be deferred because of action on the

link.This about indicates a chock-full arrangement back the interface has

to accumulate abetment off to acquisition an accessible address window to send; this

can become a assiduity botheration that consumes absorber amplitude as outgoing

packets accept to be stored until a address windows opens.

absent carrier The cardinal of times the arresting was lost.This can be

caused by issues such as a about-face actuality shut off or a apart cable.

no carrier This is an bare counter.

www.syngress.com

Troubleshooting and Achievement Monitoring • Affiliate 10 567

NOTE

On a full-duplex interface, you should never see collisions, backward collisions,

or deferred packets.

The chain counters accredit to the bulk of abstracts (measured in bytes) queued

for accession and transmission.These counters accommodate a snapshot of what is currently

queued at the time the command is issued.The queues will be depleted if

the firewall receives added cartage than it can handle.When a packet is first

received at an interface, it is placed in the ascribe accouterments queue. If the hardware

queue is full, the packet is placed in the ascribe software queue.The packet is then

placed into a 1550-byte block (a 16384-byte block on 66MHz Gigabit Ethernet

interfaces) and anesthetized to the operating system. Once the firewall has determined

the achievement interface, the packet is placed in the adapted achievement hardware

queue. If the accouterments chain is full, the packet is placed in the achievement software

queue.

In either the ascribe or achievement software queue, if the best blocks are

large, the interface is actuality overrun. If you apprehension this situation, the alone way to

resolve it is to abate the bulk of cartage or to advancement to a faster interface.