All Cisco-Network Study Notes: Identification (IDENT) Protocol and PIX Performance

Identification (IDENT) Protocol

and PIX Performance

There is one accurate agreement that we charge to abode because it affects PIX

performance.This is the identification agreement defined in RFC 1413.The

purpose of this agreement is to accredit HTTP, FTP, or POP servers to affirm the

identity of clients.When a applicant connects to one of these ports, a server running

IDENT will attack to affix to TCP anchorage 113 on the client. If successful, the

server will apprehend assertive anecdotic abstracts from the applicant machine. In theory, this

process would abate spam or adulterine acceptance by banishment users to affix from

legitimate sources. In practice, the IDENT agreement can be baffled easily.

Users abaft a PIX firewall are adequate from IDENT by default. Back the

IDENT agreement provides advice about the user, it can accommodate capacity about

the centralized network, which can be a abuse of your aegis policy.The PIX

firewall, like any acceptable firewall, prevents this admission of centralized capacity to the outside.

However, the downside of this aegis is that users could apperceive a very

noticeable adjournment in the server responding to their requests as it attempts to check

their identities, or they could alike acquaintance a absolute abridgement of response.

To analyze IDENT issues, set logging to the debugging level. Once that is

turned on, you will see denied TCP attempts to anchorage 113 attempts.To get around

this issue, you accept the afterward choices:

1. You can acquaintance the ambassador of the server alive IDENTD and

have it angry off. However, you will accept to do this for anniversary server that

has this problem.

2. You can canyon IDENT cartage through your firewall unmolested by permitting

it with admission lists or conduits.This would canyon centralized network

details to the outside, which can accommodation security.

3. Another (the recommended) band-aid is to use the account resetinbound

command.This command sends a TCP displace (RST) to the IDENT

server, which about tells it that the applicant does not abutment IDENT.

Upon accepting that reset, the server provides the requested account to

the user. Once this command is entered, the PIX firewall starts sending

resets to cartage not acceptable by the aegis action rather than dropping

it silently and causing the user to acquire a time penalty.

www.syngress.com

614 Affiliate 10 • Troubleshooting and Achievement Monitoring

Summary

This affiliate alien a troubleshooting alignment based on the OSI

model. Application this approach, you alpha at the everyman layers and appointment up the stack.

Doing this enables you to annihilate lower (and about simpler) band causes

before absorption efforts on college (and about added complex) band aspects of

PIX firewall troubleshooting.

Knowledge is power! Knowing the assorted models of PIX firewalls and their

capabilities is acutely important to troubleshooting. Assertive models of the PIX

firewall, such as archetypal 501 and 506, do not abutment failover. Knowing such

details would anticipate you from crumbling your time attempting to break problems

with appearance not accurate on a accurate model. Added advantageous advice to

know about the PIX firewall includes the cardinal of accurate admission as

well as the cardinal and types of NICs accurate (such as Token Ring and

Ethernet).

Although the PIX firewall supports a bound cardinal of arrangement types,

familiarity with the cables acclimated to affix to those networks can be a advantageous asset

to troubleshooting.The PIX firewall uses accepted TA586A/B base schemes for

10/100 Ethernet, and SC multimode cilia optic cables for Gigabit Ethernet.The

failover cable is an instance of a specialized action fabricated accessible by adhering to

a acrimonious Cisco proprietary base scheme.

In adjustment for the PIX firewall to achieve its function, it charge be able to

service its centralized networks as able-bodied as apperceive how to advanced cartage to the appropriate

destination.This is fabricated accessible application a changeless routes or RIP.You charge to

be able to troubleshoot and boldness reachability issues to accredit the PIX firewall

to achieve its job.

Translation is appropriate for accouterment connectivity through the PIX firewall.

Your troubleshooting toolbox includes abounding Cisco commands such as appearance xlate,

show nat, and appearance global, all acclimated to assay adaptation configurations and operations.

Ensure that you achieve bright xlate a consistently accomplished footfall in your troubleshooting,

especially afterwards authoritative agreement changes.

Other connectivity issues you charge to troubleshoot absorb ensuring that

only the able admission is accepted to assertive alien networks.You can use commands

such as appearance conduit, appearance access-list, and appearance access-group to validate what

access is granted.

IPsec is apparently one of the best circuitous appearance you will anytime configure

on the PIX firewall.The troubleshooting is appropriately complex. In this chapter, we

covered several of the best analytical commands accessible for acceptance IPsec

www.syngress.com

Troubleshooting and Achievement Ecology • Affiliate 10 615

operation.When troubleshooting, bisect your efforts to accredit bigger focus by

first troubleshooting and absolute IKE issues, again absorption on IPsec. IPsec

depends on IKE, but IKE does not charge IPsec to achieve its functions.

With the accession of PIX adaptation 6.2, Cisco has provided a advantageous packet

capture and assay apparatus in the anatomy of the abduction command.This command

allows you to troubleshoot networks accidentally by enabling the abduction and

analysis of networks affiliated to the PIX firewall.This reduces the charge to

install a third-party accessory on the ambition arrangement to access advice about it.

The best troubleshooting convenance is proactive ecology to ascertain problems

before they become unmanageable.You can achieve this proactive accompaniment by

gathering achievement abstracts about assorted aspects of your PIX firewall such as

CPU performance, anamnesis consumption, and arrangement bandwidth utilization

statistics.

Solutions Fast Track

Troubleshooting Accouterments and Cabling

Use the OSI archetypal to adviser your troubleshooting efforts, starting with

Layer 1 (the concrete layer) and alive your way up.

There are several models of the PIX firewall, starting with the fixed

configuration 501 up to the accepted top-of-the-line model, the

configurable 535. In addition, a Firewall Services Module (FWSM) is

available for the Catalyst 6500 alternation switches.

Ecology the PIX firewall POST can accommodate admired information

about the accouterments that is installed.

The appearance interface command provides actual advantageous statistics about network

interfaces, which can accommodate clues about arrangement malfunctions.

The PIX firewall uses the TA586A/B base accepted for connectivity

to 10/100 Ethernet networks. Gigabit Ethernet networks affix to the

PIX firewall via SC multimode cilia optic cables.

www.syngress.com

616 Affiliate 10 • Troubleshooting and Achievement Monitoring

Troubleshooting Connectivity

Like any arrangement device, the PIX firewall charge apperceive how to ability its

destinations.

The PIX firewall can use changeless routes or RIP.

The acquisition troubleshooting action is agnate to the accomplish that you

would achieve on a router (checking acquisition tables, acceptance next-hop

reachability, and so on).

IP abode appointment should be one of the aboriginal items that is arrested for

correctness afore any added item.

Back adaptation agreement has as abundant aftereffect on connectivity as

routing, you charge to apperceive how to validate it.

Troubleshooting IPsec

IPsec troubleshooting needs to be actual methodical due to its complexity.

Validate IKE aboriginal afore attempting to accouterment IPsec itself, back IPsec

depends on IKE for its operation.

The appearance isakmp command can accord a quick snapshot of IKE

configuration on the firewall, enabling you to assay the ambit for

correctness.

The appearance crypto ipsec command with baddest keywords can accredit you to

check assorted aspects of IPsec, such as its aegis associations and

transform sets.

Capturing Traffic

Cisco alien the abduction command in PIX adaptation 6.2.

This command enables you to accidentally abduction packets of networks

connected to the PIX firewall.

Captured packets can be beheld on the console, beheld or downloaded

from a Web browser, or downloaded to a workstation via TFTP for

analysis by third-party software such as tcpdump.

www.syngress.com

Troubleshooting and Achievement Ecology • Affiliate 10 617

Monitoring and Troubleshooting Performance

Proactive ecology can anticipate problems from becoming

unmanageable.

CPU achievement and anamnesis burning can be indicators of

problems.

The appearance processes command can advice analyze the processes that are

running and the ones that could be arresting added PIX firewall

resources than they should.

Q: Which PIX firewall models abutment Gigabit Ethernet?

A: 525 and 535.

Q: I doubtable a key conflict amid my IKE peers.What can I do to verify

that?

A: You can assay syslog messages, which will affectation advice about

these types of errors.You can additionally use appearance crypto isakmp and appearance the

configuration.

Q: What is the latest adaptation of PIX software that supports Token Ring and

FDDI interfaces?

A: Adaptation 5.3. versions afterwards that accept no abutment for Token Ring or FDDI.

Q: How do I actuate how abundant anamnesis is installed on my PIX firewall?

A: Use either the appearance adaptation command or the appearance anamnesis command.

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

618 Affiliate 10 • Troubleshooting and Achievement Monitoring

Q: In a failover configuration, what determines which firewall is alive and

which is standby?

A: The failover cable that Cisco provides is strange, such that one end will cause

the firewall to become the alive in a failover agreement admitting the

other end will become standby.

Q: Where is the agreement book for the PIX firewall stored?

A: It is stored in beam memory. No NVRAM like that is frequently begin on

Cisco routers.

Q: What acquisition protocols does the PIX firewall support?

A: At the time of this writing, alone RIP versions 1 and 2 are supported.