Hi Mukhtar,

It depends on what kind of verification you need, e.g testing inbound access, internet access from internal network, VPN, pix management access and so on.

But basically, the test should be performed to test your security policy (using ACL), network/traffic connectivity and reachability.

a. From Outside/DMZ to Inside:

- Perform PING test for your ICMP rule ping public IP of your internal server that you statically mapping using “static (inside,outside)” command.

- Perform ACL test using ‘show access-list” command, and check the hitcount at the end of every ACL line. Check also the deny statement where this ACL should deny unauthorized access by IP and/or service ports.

You should see some numbers.

- Simulate access, e.g web access to your internal server vi aits public IP.

- Issue ‘show conn” command to check all establish TCP/UDP connections.

* show conn | i / , e.g "show conn | i 80", "show conn | i ". The 'i' means include.

a. From Inside to Outside/DMZ

- Perform PING test from any permitted internal host to any external IP – test ICMP rule

- Perform ACL test using ‘show access-list” command to see if the ACLs had hitcount. Check also the deny statement where this ACL should deny unauthorized access by IP and/or service ports.

- Issue similar the ‘show conn” command above.

- Ping from PIX to test routing and reachability to other Layer3 devices, segments or host.

Rgds,

AK