Troubleshoot Connections Through The Pix

Troubleshoot Connections through the PIX and ASA
Document ID: 71871
Introduction Prerequisites Requirements Components Used Related Products Conventions Background Information Problem Solution Step 1 − Discover the IP Address of the User Step 2 − Locate the Cause of the Problem Step 3 − Confirm and Monitor Application Traffic What is Next? Problem: Terminating TCP−Proxy Connection Error MessageSolution NetPro Discussion Forums − Featured Conversations Related Information

Introduction
This document provides troubleshooting ideas and suggestions for when you use the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) and the Cisco PIX 500 Series Security Appliance. More often than not, when applications or network sources break or are not available, firewalls (PIX or ASA) tend tobe a primary target and blamed as the cause of outages. With some testing on the ASA or PIX, an administrator can determine whether or not the ASA/PIX causes the problem. Refer to PIX/ASA: Establish and Troubleshoot Connectivity through the Cisco Security Appliance in order to learn more about the interface related troubleshooting on the Cisco security appliances. Note: This document focuses onthe ASA and PIX. Once troubleshooting is complete on the ASA or PIX, it is likely that additional troubleshooting might be necessary with other devices (routers, switches, servers, and so forth).

Prerequisites
Requirements
There are no specific requirements for this document.

Components Used
The information in this document is based on Cisco ASA 5510 with OS 7.2.1. The information in thisdocument was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure

that you understand the potential impact of any command.

Related Products
This document can also be used with these hardware and software versions: • PIX OS 6.3 • ASA and PIX OS 7.0 and 7.1 •Firewall Services Module (FWSM) 2.2, 2.3, and 3.1 Note: Specific commands and syntax can vary between software versions.

Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information
The example assumes the ASA or PIX is in production. The ASA/PIX configuration can be relatively simple (only 50 lines of configuration) or complex(hundreds to thousands of configuration lines). Users (clients) or servers can either be on a secure network (inside) or an unsecure network (DMZ or outside).

The ASA starts with this configuration. The configuration is intended to give the lab a reference point. ASA Initial Configuration
ciscoasa#show running−config : Saved : ASA Version 7.2(1) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24encrypted names ! interface Ethernet0/0 nameif outside security−level 0 ip address 172.22.1.160 255.255.255.0 ! interface Ethernet0/1 nameif inside security−level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/2 nameif dmz

security−level 50 ip address 10.1.1.1 255.255.255.0 ! interface Management0/0 shutdown no nameif no security−level no ip address ! passwd 2KFQnbNIdI.2KYOUencrypted ftp mode passive access−list outside_acl extended permit tcp any host 172.22.1.254 eq www access−list inside_acl extended permit icmp 192.168.1.0 255.255.255.0 any access−list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq www access−list inside_acl extended permit tcp 192.168.1.0 255.255.255.0 any eq telnet pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 noasdm history enable arp timeout 14400 global (outside) 1 172.22.1.253 nat (inside) 1 192.168.1.0 255.255.255.0 static (inside,outside) 192.168.1.100 172.22.1.254 netmask 255.255.255.255 access−group outside_acl in interface outside access−group inside_acl in interface inside timeout xlate 3:00:00 timeout conn 1:00:00 half−closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00...