《PIX_Troubleshooting_Tools》由会员分享,可在线阅读,更多相关《PIX_Troubleshooting_Tools(27页珍藏版)》请在金锄头文库上搜索。
1、PIX防火墙的Troubleshooting工具,Syslog ICMPPacket CaptureShow commandOutput InterpreterPDM/ASDM,什么是Syslog?,记录发生了什么事件?包括流量行为的一系列事件都可以被记录下来。 是一种很好的troubleshooting的工具,尤其是在PIX重启或者crash后。,Log的级别和数目,log级别中包含的具体内容,可参见:http:/ logging可查看目前log的设置情况。,配置和使用Syslog,Pix(config)#logging host inside 10.1.15Pix(config)#logg
2、ing trap 3Pix(config)#logging buffered 1Pix(config)#logging onPix(config)#logging monitor 4,定义log server,发送到log server的级别(错误),存储在PIX内部buffer的级别(alerts),启用log,发送到Telnet/SSH的级别(warnning),如何修改Syslog消息的级别,用途:想收到某个消息,但不想收到这个消息同级别其他无用的消息命令语法:no logging message level 将Syslog message 111009的级别由7级修改到3级(error
3、) Pix(config)#logging message 111009 level 3 或者 Pix(config)#logging message 111009 level error用no命令恢复,PIX Troubleshooting工具之二ping,最常用的工具之一,可判断: 路由的可达性 NAT设置是否正确 相关命令:debug icmp trace,在6.3以下版本,可用undebug all,PIX Troubleshooting工具之三Packet Capture,举例:access-list cisco_test permit ip host 211.91.211.54 h
4、ost 61.242.223.17 access-list cisco_test permit ip host 61.242.223.17 host 211.91.211.54capture in_cap interface inside access-list cisco_test capture out_cap interface outside access-list cisco_testshow capture show capture in_cap detail show capture out_cap detailhttps:/61.242.223.252/capture/in_c
5、ap/pcap https:/61.242.223.252/capture/out_cap/pcap 注意:确保PIX上启用了http server。,PIX Troubleshooting工具之三Packet Capture,命令语法: capture capture_name type asp-drop drop-code | raw-data | isakmp | webvpn user webvpn-user url url access-list access_list_name buffer buf_size ethernet-type type interface interfa
6、ce_name packet-length bytes circular-buffertrace trace_count 在版本6.2中首次出现。 可捕获在ACL中匹配的包。 可用sniffer软件,如Iris,ethereal,sniffer等打开。 保存在内存中,缺省512kb,当buffer满的时候会自动停止。关键步骤: 在ACL定义感兴趣的数据流。 将ACL应用到目标接口。,PIX Troubleshooting工具之三Packet Capture,PIX Troubleshooting工具之四show command,Show connect和show connect detail,
7、pix#sh conn 1514 in use, 66418 most used TCP out 210.72.32.92:4826 in 10.6.99.97:1433 idle 0:00:15 Bytes 4454 flags UIOB TCP out 210.72.32.92:4825 in 10.6.99.97:1433 idle 0:00:29 Bytes 4453 flags UIOBpix#sh conn det 1521 in use, 66418 most used Flags: A - awaiting inside ACK to SYN, a - awaiting out
8、side ACK to SYN,B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,E - outside back connection, F - outside FIN, f - inside FIN,G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete,k - Skinny media, M - SMTP data, m - SIP media, O - outbound data,P - inside ba
9、ck connection, q - SQL*Net data, R - outside acknowledged FIN,R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN,s - awaiting outside SYN, T - SIP, t - SIP transient, U - up TCP dmz:210.72.32.92/4826 inside:10.6.99.97/1433 flags UIOB TCP dmz:210.72.32.92/4825 inside:10.6.99.97/1433 fl
10、ags UIOB显示当前连接情况。,Show xlate和show xlate detail,pix#sh xlate 861 in use, 8295 most used Global 210.72.33.20 Local 210.72.33.20 Global 219.235.129.18 Local 10.6.99.158 Global 210.72.32.178 Local 210.72.32.178pix#sh xlate det 873 in use, 8295 most used Flags: D - DNS, d - dump, I - identity, i - inside
11、, n - no random,o - outside, r - portmap, s - static NAT from dmz:210.72.33.20 to outside:210.72.33.20 flags s NAT from inside:10.6.99.158 to outside:219.235.129.18 flags s显示当前NAT转换情况。,Show cpu usage,pix#show cpu usage CPU utilization for 5 seconds = 2%; 1 minute: 2%; 5 minutes: 2%显示当前CPU利用情况。,Show
12、traffic,pix#sh traffic outside:received (in 2.890 secs):0 packets 189971 bytes0 pkts/sec 65733 bytes/sectransmitted (in 2.890 secs):0 packets 2914252 bytes0 pkts/sec 1008391 bytes/sec inside:received (in 2.890 secs):0 packets 2627283 bytes0 pkts/sec 909094 bytes/sectransmitted (in 2.890 secs):0 pack
13、ets 170788 bytes0 pkts/sec 59096 bytes/sec dmz:received (in 2.890 secs):0 packets 305187 bytes0 pkts/sec 105601 bytes/sectransmitted (in 2.890 secs):0 packets 23331 bytes0 pkts/sec 8073 bytes/sec,显示在PIX各个接口的流量情况,出、入包和字节数等。,Show local-host,pix#sh local-host Interface dmz: 282 active, 282 maximum acti
14、ve, 0 denied local host: ,TCP connection count/limit = 0/unlimitedTCP embryonic count = 0TCP intercept watermark = unlimitedUDP connection count/limit = 0/unlimitedAAA:Xlate(s):Global 210.72.33.20 Local 210.72.33.20Conn(s):显示本地主机的TCP、UDP连接和NAT情况。,Show tech-support,Show version Show clock Show memory
15、 Show conn count Show xlate count Show blocks Show interface Show cpu usage Show process Show failover Show traffic Show perform Show running-config,PIX Troubleshooting工具之五输出解释器,帮助分析输出结果中的错误。 需要CCO帐号。 https:/ Troubleshooting工具之五输出解释器,PIX Troubleshooting工具之六PDM/ASDM,可通过图形化的管理工具,更直观地监测到如CPU、内存、接口带宽等一些
16、动态参数的运行趋势。可结合CLI进行维护。 也可参照Ciscoworks 2000的相关安全管理工具。,PIX 调试中的问题应用不能正常使用,检查: Permissions:安全策略设置是否正确 Translation:地址翻译设置是否正确。Static和NAT语句,global语句 Routing:路由表是否正确强烈建议:在PIX的安全策略、接口、路由,甚至配置改动的时候,尽可能在条件允许的情况下使用clear xlate、clear arp、clear local-host清除原有的xlate、arp和连接!,PIX Troubleshooting案例分析,问题现象: 用户不能正常访问Internet。 新连接不能正常使用。 原有连接可正常使用。分析过程: 第一步:检查Syslog %PIX-3-211001:Memory allocation Error %PIX-3-211001:Memory allocation Error 第二步:检查可用内存 Hardware: PIX-515E, 64M RAM - show memory -Free memory: 714696 bytes Used memory: 66394168 bytes - - Total memory: 67108864 bytes,
