how can i check to see if the traffic is hitting the firewall?

Hi,

There are two ways. Either you check the logs or you configure a packet capture on the firewall.

To check the logs, go into ASDM, under the Monitoring tab and click on Logging. Choose Debugging just to make sure you see everything. You should be able to filter the output by IP address/string.

To configure a capture, in the CLI do:

capture interface

And then do show capture

There are more twists to this, but that should be enough for you to see if the traffic is going to the firewall.

Regards,

Paulo

i ran a logging buffered debug on the PIX - i am ping from 10.10.5.7 to 10.10.5.6.

Jan 17 2008 19:22:05 : %PIX-6-609001: Built local-host inside:10.10.5.6

Jan 17 2008 19:22:05 : %PIX-6-302020: Built ICMP connection for faddr 10.10.5.7/

512 gaddr 10.10.5.6/0 laddr 10.10.5.6/0

Jan 17 2008 19:22:05 : %PIX-6-110001: No route to 10.10.5.6 from 10.10.5.7

Jan 17 2008 19:22:08 : %PIX-6-302021: Teardown ICMP connection for faddr 10.10.5

.7/512 gaddr 10.10.5.6/0 laddr 10.10.5.6/0

Jan 17 2008 19:22:08 : %PIX-6-609002: Teardown local-host inside:10.10.5.6 durat

ion 0:00:02

from a debug icmp trace i get this - on the same pix. i didnt get the replys on the 10.10.5.7 server but this says i did.

ICMP echo reply (len 32 id 512 seq 22785) 10.10.5.6 > 10.10.5.7

ICMP echo reply (len 32 id 512 seq 23041) 10.10.5.6 > 10.10.5.7

ICMP echo reply (len 32 id 512 seq 23297) 10.10.5.6 > 10.10.5.7

could this be related to NAT?

here is a copy of the PIX running config.

hopefully this will help - i did a debug arp on the PIX.

arp-in: request at DMZ1 from 10.10.5.7 0006.5b3c.8901 for 10.10.5.6 0000.0000.00

00

arp-in: rqst for me from 10.10.5.7 for 10.10.5.6, on DMZ1

arp-set: added arp DMZ1 10.10.5.7 0006.5b3c.8901 and updating NPs at -772732892

arp-in: generating reply from 10.10.5.6 0005.5d18.fffb to 10.10.5.7 0006.5b3c.89

01

Hi Jerry,

This is definitely not a problem with the firewall. These two IP addresses are both on the same subnet so the traffic should not be going through the firewall!

Check your switch/VLAN configuration and review why the traffic is going to the firewall and not directly to the host.

HTH,

Paulo

i plan to do a write erase on that switch Monday night. i attached the switch config.

i just ran this on the dmz switch.

the first ping is my laptop to dmz switch - the second is one on the servers in the dmz to the switch.

NOC-DMZ1-2950# debug ip icmp

ICMP packet debugging is on

NOC-DMZ1-2950#term mon

NOC-DMZ1-2950#undebug all

000302: *May 31 00:15:38.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000303: *May 31 00:15:39.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000304: *May 31 00:15:40.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

000305: *May 31 00:15:41.966: ICMP: echo reply sent, src 10.10.5.5, dst 172.16.1

.64

All possible debugging has been turned off

NOC-DMZ1-2950#term mon

NOC-DMZ1-2950# debug ip icmp

ICMP packet debugging is on

NOC-DMZ1-2950#

000306: *May 31 00:17:28.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

000307: *May 31 00:17:29.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

000308: *May 31 00:17:30.494: ICMP: echo reply sent, src 10.10.5.5, dst 10.10.5.

7

NOC-DMZ1-2950#undebug all

All possible debugging has been turned off

NOC-DMZ1-2950#

thanks.

i got the two servers to ping each other by entering static arp entrys in each of the dmz servers.

does this mean the switch isnt procesing the arp request properly?

if i look at the arp table on one of the servers it shows all other servers have the dmz interface MAC as there MAC also.

i had to disable proxy arp on the DMZ interface to make it work.

PIX(config)# sysopt noproxyarp DMZ1

thanks for every ones input to help resolve this issue!!!!!!!!!