1. Home
  2. Networking Firewalls
  3. Showing PIX traffic

Showing PIX traffic

Hi there,

I've had situations where I'm troubleshooting the pix firewall in terms of someone trying to connect from the outside. The problem I have is, I don't know of an easy command on the PIX that could tell me the source of a certain connection and if the connection is allowed or denied.

I know I can use "show access-list" to show hit counts, but what's a command I can type to show a destination address (on my side), who's trying to hit it (from the outside), and if the traffic was allowed or denied without leaving the console?

This may seem like a basic question... but I'd really appreciate it if someone can help me out here. Haven't been able to find anything on the internet on that except for syslogs which gives me "too much information" (so, ends up being no help at all). I'm using version 6.3(4). Thanks in advance!

Reply to
Jon Doe
Loading thread data ...

There isn't one.

There isn't one. But you can get the 2/3 of that by using 'capture' with an appropriate ACL.

You can use syslog and set all the -other- elements in the ACL to be marked "log disable". Or you can use syslog and post-filter the output to search for the destination you are interested in.

Reply to
Walter Roberson

Thanks for your reply.... I did use 'capture' and at least I could see packets, but I guess there's no way to see whether it was allowed or denied.

Reply to
Jon Doe

If you ran captures against both interfaces, then if you see the packet in both capture logs (after appropriate nat'ing) then it was allowed ;-)

Reply to
Walter Roberson

Try show conn

Reply to
Newbie72

To solve what problem? The previous postings may be immediately visible to you via googlegroups, but they aren't immediately visible to the regulars here who use real newsreaders.

Perhaps you are referring to the following:

If so then you should be aware that "show conn" only shows -current- connections, and does not show -previous- connections nor denied connections. "show conn" is thus not adequate to track particular incidents from the console.

"logging buffer debug" together with "show log" get you into the right ballpark, in that the recorded log entries would include the Built or Deny connection messages, but that log is not very big and the entries quickly disappear if you have more than a trickle of traffic.

"logging trap debug" and "logging host IP" allow you to put up a syslog server on which you could look at historical information, but that doesn't meet the requirement for "from the console." The logging information also does not tell you anything about bandwidth usage.

The only PIX facility that combines the ability to snapshot information and examine it from the console at will, is the "capture" command -- and even then you have to -deduce- what happened rather than having some kind of transactional annotation per packet.

Reply to
Walter Roberson

Geez, never used Pix and now never will. What a hassle just to configure out whats happening.

Reply to
thefifth

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.