05-29-2006 12:19 AM - edited 02-21-2020 12:55 AM
dear sir,
how can i know that firewall is working what are commands
05-29-2006 01:41 AM
Hi Mukhtar,
It depends on what kind of verification you need, e.g testing inbound access, internet access from internal network, VPN, pix management access and so on.
But basically, the test should be performed to test your security policy (using ACL), network/traffic connectivity and reachability.
a. From Outside/DMZ to Inside:
- Perform PING test for your ICMP rule ping public IP of your internal server that you statically mapping using static (inside,outside) command.
- Perform ACL test using show access-list command, and check the hitcount at the end of every ACL line. Check also the deny statement where this ACL should deny unauthorized access by IP and/or service ports.
You should see some numbers.
- Simulate access, e.g web access to your internal server vi aits public IP.
- Issue show conn command to check all establish TCP/UDP connections.
* show conn | i
a. From Inside to Outside/DMZ
- Perform PING test from any permitted internal host to any external IP test ICMP rule
- Perform ACL test using show access-list command to see if the ACLs had hitcount. Check also the deny statement where this ACL should deny unauthorized access by IP and/or service ports.
- Issue similar the show conn command above.
- Ping from PIX to test routing and reachability to other Layer3 devices, segments or host.
Rgds,
AK
05-29-2006 01:52 AM
Hi,
That depends on your requirement. If you want to know the servises like NAT and VPN its easy using show commands like
SH XLATE
Sh crypto isakmp sa.
But if you want to ckeck the firewall features like traffic blocking, content filtering etc...its better to try using the applications.
Regards
Manoj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide