Disabling The Test Configuration - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 43
Troubleshooting the Security Appliance
hostname(config-cmap)# policy-map ICMP-POLICY
hostname(config-pmap)# class ICMP-CLASS
hostname(config-pmap-c)# inspect icmp
hostname(config-pmap-c)# service-policy ICMP-POLICY global
Alternatively, you can also apply the ICMP access list to the destination interface to allow ICMP traffic
back through the security appliance.
Step 4
Ping from the host or router through the source interface to another host or router on another interface.
Repeat this step for as many interface pairs as you want to check.
If the ping succeeds, a system log message appears to confirm the address translation for routed mode
(305009 or 305011) and that an ICMP connection was established (302020). You can also enter either
the show xlate or show conns command to view this information.
If the ping fails for transparent mode, contact Cisco TAC.
For routed mode, the ping might fail because NAT is not configured correctly (see
failure is more likely to occur if you enable NAT control. In this case, a system log message appears,
showing that the NAT failed (305005 or 305006). If the ping is from an outside host to an inside host,
and you do not have a static translation (required with NAT control), the following system log message
appears: "106010: deny inbound icmp."
Note
Figure 43-5
Host
Disabling the Test Configuration
After you complete your testing, disable the test configuration that allows ICMP to and through the
security appliance and that prints debug messages. If you leave this configuration in place, it can pose a
serious security risk. Debug messages also slow the security appliance performance.
To disable the test configuration, perform the following steps:
Step 1
To disable ICMP debug messages, enter the following command:
hostname(config)# no debug icmp trace
To disable logging, if desired, enter the following command:
Step 2
hostname(config)# no logging on
To remove the ICMPACL access list, and delete the related access-group commands, enter the following
Step 3
command:
hostname(config)# no access-list ICMPACL
OL-12172-03
The security appliance only shows ICMP debug messages for pings to the security appliance
interfaces, and not for pings through the security appliance to other hosts.
Ping Failure Because the Security Appliance is not Translating Addresses
Ping
Router
Security
Router
Appliance
Cisco Security Appliance Command Line Configuration Guide
Testing Your Configuration
Figure
43-5). This
Host
43-5
Advertisement
Table of Contents
Troubleshooting
