Summary

This chapter introduced a troubleshooting methodology based on the OSI model. Using this approach, you start at the lowest layers and work up the stack. Doing this enables you to eliminate lower (and typically simpler) layer causes before focusing efforts on higher (and typically more complex) layer aspects of PIX firewall troubleshooting.

Knowledge is power! Knowing the various models of PIX firewalls and their capabilities is extremely important to troubleshooting. Certain models of the PIX firewall, such as models 501 and 506, do not support failover. Knowing such details would prevent you from wasting your time attempting to solve problems with features not supported on a particular model. Other useful information to know about the PIX firewall includes the number of supported connections as well as the number and types of NICs supported (such as Token Ring and Ethernet).

Although the PIX firewall supports a limited number of network types, familiarity with the cables used to connect to those networks can be a useful asset to troubleshooting. The PIX firewall uses standard TA586A/B wiring schemes for 10/100 Ethernet, and SC multimode fiber optic cables for Gigabit Ethernet. The failover cable is an instance of a specialized function made possible by adhering to a stringent Cisco proprietary wiring scheme.

In order for the PIX firewall to perform its function, it must be able to service its internal networks as well as know how to forward traffic to the appropriate destination. This is made possible using a static route or RIP. You need to be able to troubleshoot and resolve reachability issues to enable the PIX firewall to perform its job.

Translation is required for providing connectivity through the PIX firewall. Your troubleshooting toolbox includes many Cisco commands such as show xlate, show nat, and show global, all used to check translation configurations and operations. Ensure that you make clear xlate a regularly executed step in your troubleshooting, especially after making configuration changes.

Other connectivity issues you need to troubleshoot involve ensuring that only the proper access is granted to certain external networks. You can use commands such as show conduit, show access-list, and show access-group to validate what access is granted.

IPsec is probably one of the most complex features you will ever configure on the PIX firewall. The troubleshooting is equally complex. In this chapter, we covered several of the most critical commands available for validating IPsec operation. When troubleshooting, divide your efforts to enable better focus by first troubleshooting and resolving IKE issues, and then focusing on IPsec. IPsec depends on IKE, but IKE does not need IPsec to perform its functions.

With the introduction of PIX v6.2, Cisco has provided a useful packet capture and analysis tool in the form of the capture command. This command allows you to troubleshoot networks remotely by enabling the capture and analysis of networks connected to the PIX firewall. This reduces the need to install a third-party device on the target network to obtain information about it.

The best troubleshooting practice is proactive monitoring to detect problems before they become unmanageable. You can accomplish this proactive state by gathering performance data about various aspects of your PIX firewall such as CPU performance, memory consumption, and network bandwidth utilization statistics.