Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to know pix firewall is working

dear sir,

how can i know that firewall is working what are commands

2 REPLIES

Re: how to know pix firewall is working

Hi Mukhtar,

It depends on what kind of verification you need, e.g testing inbound access, internet access from internal network, VPN, pix management access and so on.

But basically, the test should be performed to test your security policy (using ACL), network/traffic connectivity and reachability.

a. From Outside/DMZ to Inside:

- Perform PING test for your ICMP rule ping public IP of your internal server that you statically mapping using “static (inside,outside)” command.

- Perform ACL test using ‘show access-list” command, and check the hitcount at the end of every ACL line. Check also the deny statement where this ACL should deny unauthorized access by IP and/or service ports.

You should see some numbers.

- Simulate access, e.g web access to your internal server vi aits public IP.

- Issue ‘show conn” command to check all establish TCP/UDP connections.

* show conn | i / , e.g "show conn | i 80", "show conn | i ". The 'i' means include.

a. From Inside to Outside/DMZ

- Perform PING test from any permitted internal host to any external IP – test ICMP rule

- Perform ACL test using ‘show access-list” command to see if the ACLs had hitcount. Check also the deny statement where this ACL should deny unauthorized access by IP and/or service ports.

- Issue similar the ‘show conn” command above.

- Ping from PIX to test routing and reachability to other Layer3 devices, segments or host.

Rgds,

AK

New Member

Re: how to know pix firewall is working

Hi,

That depends on your requirement. If you want to know the servises like NAT and VPN its easy using show commands like

SH XLATE

Sh crypto isakmp sa.

But if you want to ckeck the firewall features like traffic blocking, content filtering etc...its better to try using the applications.

Regards

Manoj

239
Views
0
Helpful
2
Replies
CreatePlease login to create content