Troubleshooting Example

This through a simple example of troubleshooting a firewall configuration. Troubleshooting starts with the basic connectivity troubleshooting and escalates upward to more complex issues until the specific problem is identified
Nội dung trích xuất từ tài liệu:
Troubleshooting ExampleTroubleshooting ExampleThis section walks through a simple example of troubleshooting a firewall configuration.Troubleshooting starts with the basic connectivity troubleshooting and escalates upwardto more complex issues until the specific problem is identified. As mentioned previously,the first step is to verify the problem that is being reported. Consider, for example, theproblem shown in Figure 13-3. The web client behind the firewall is attempting to reach awebsite across the Internet. For the purposes of this example, we use the sitehttp://www.freeciv.org. Figure 13-3. Troubleshooting Example TopologyFigure 13-4 shows that the connection has failed. This failure could be for a variety ofreasons, but suffices as a simple example of troubleshooting the firewall. Figure 13-4. Failed Connection to Website [View full size image]One of the first steps to take is to test the connectivity. Doing so involves verifying thatthe firewall is up and running as well as verifying that the Internet connection is working.To verify that the firewall is operational from a hardware perspective requires a physicalexamination of the firewall device. The firewall power light should be on, and both insideand outside interface indicators should be on. These indicators vary depending on thespecific brand of firewall. On the PIX, they are found on the interface ports themselves,as shown by the two arrows in Figure 13-5. Figure 13-5. PIX Interface Indicators [View full size image]If the firewall is up and functional, the next step is to connect to the firewall and verifythat the firewall software has not crashed. You can do so either using the firewalls webinterface or by using the command-line interface. Figure 13-6 shows a connection into afirewall and verification that the software is up and running. Figure 13-6. Verifying Firewall Functioning [View full size image]If the firewall is up and running, the next step is to test the Internet connection on theoutside interface of the firewall. You can do this by pinging a system out on the Internet.Doing so is somewhat tricky because many networks filter out unsolicited ICMPrequests. However, some of the larger search sites such as Yahoo! and Google do allowunsolicited ICMP requests, as shown in Figure 13-7. Figure 13-7. Testing Internet Connectivity [View full size image]If pinging an external site is possible, the Internet connection is probably working fine,and the problem may be in the configuration of the firewall. However, before going thatfar, it would be a good idea to verify that the site being contacted is working. To do this,you need only ping the site and, failing that, connect to the specific application port usingTelnet or some other connectivity utility. For web servers, the easiest way to check todetermine whether the server is up is to telnet to the web server on TCP port 80, as shownin Figure 13-8. Figure 13-8. Checking Server Connectivity [View full size image]In this example, the assumption is that the web server is not responding because it doesnot respond to a ping or to the Telnet connection to the web server port, 80.In more complex cases, you might need to review the firewall configuration to ensurethat it is not blocking the traffic unnecessarily. Also, consider that in some cases it is notyour end of the connection that may be problematic but the other end. In many cases, youmight need to search the vendors documentation to ensure that the firewall is configuredproperly or how to turn on the debugging features of the firewall. Like troubleshootingany other problem, troubleshooting a firewall is much an iterative problem. You startwith the simple and obvious and work toward the more unique and esoteric if necessary.