Professional Documents
Culture Documents
14-Module-3 notes-14-03-2024
14-Module-3 notes-14-03-2024
14-Module-3 notes-14-03-2024
security devices
security devices
Troubleshoot Firewall Problems
1) Ping a PC near the device
• If the target device receives the "ping" from the source device, it will
(if configured to do so) respond to confirm that is active and
connected to the network.
• So, if your pings to the PC are not returned, try pinging the gateway
• Keep in mind that some networks block all ping traffic as a security
measure.
Troubleshoot Firewall Problems
2) Ping the device
• Next, send another simple ICMP ping to the device to determine connectivity.
• If pings to the PC in Step 1 were successful, but pings sent to the device fail, the
problem is almost certainly with your SNMP device.
• Confirm that these or any other needed IP addresses are not being blocked.
Troubleshoot Firewall Problems
6) Trace the route to the device
• Tracing the "hops" that network traffic is following to reach the device can
allow you to pinpoint a tricky firewall issue.
• A simple trace can be performed from the Command Prompt of Windows
XP:
• Open a Command Prompt in Windows XP.
• Type "tracert", a single space, and the IP address of the device you are trying to reach
(i.e. "tracert 192.168.230.143")
• Press return to start the trace.
• Show the output to your IT department to identify potential firewall problems.
Troubleshooting CISCO IOS Firewall
configurations
• In order to reverse (remove) an access list, put a "no" in front of the access-
group command in interface configuration mode:
int <interface>
no ip access-group # in|out
• If too much traffic is denied, study the logic of your list or try to define an
additional broader list, and then apply it instead. For example:
access-list # permit tcp any any
access-list # permit udp any any
access-list # permit icmp any any
int <interface>
ip access-group # in|out
Troubleshooting CISCO IOS Firewall
configurations
• If the router is not heavily loaded, debugging can be done at a packet level on
the extended or ip inspect access list.
• If the router is heavily loaded, traffic is slowed through the router. Use discretion
with debugging commands.
Temporarily add the no ip route-cache command to the interface:
int <interface>
no ip route-cache
Then, in enable (but not config) mode:
term mon ![terminal monitor]
debug ip packet [access-list-number] ! to display general IP debugging information
produces output similar to this:
IP: s=172.16.13.44 (Fddi0), d=10.125.254.1 (Serial2), g=172.16.16.2, forward
IP: s=172.16.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.16.16.2, forward
Troubleshooting CISCO IOS Firewall
configurations
• Debug ip packet Command Field Descriptions
Field Description
IP: Indicates that this is an IP packet.
s = 172.16.13.44 (Fddi0) Indicates the source address of the packet and the name of the
interface that received the packet.
d = 10.125.254.1 (Serial2) Indicates the destination address of the packet and the name of the
interface (in this case, S2) through which the packet is being sent out
on the network.
g = 172.16.16.2 Indicates the address of the next hop gateway.
forward Indicates that the router is forwarding the packet. If a filter denies a
packet, "access denied" replaces "forward," as shown in the last line
of output.
Troubleshooting CISCO IOS Firewall
configurations
• Extended access lists can also be used with the "log" option at
the end of the various statements:
access-list 101 deny ip host 171.68.118.100 host 10.31.1.161 log
access-list 101 permit ip any any
• You therefore see messages on the screen for permitted and
denied traffic:
*Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp
171.68.118.100 -> 10.31.1.161 (0/0), 15 packets
*Mar 1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp
171.68.118.100(0) -> 10.31.1.161(0), 1 packet
Troubleshooting CISCO IOS Firewall
configurations
• If the ip inspect list is suspect, the debug ip inspect <type_of_traffic> command produces
output such as this output: [Ex: debug ip inspect tcp]
*Mar 2 01:20:43: CBAC* sis 25A3604 pak 2541C58 TCP P ack 4223720032 seq 4200176225(22) (10.0.0.1:46409)
=> (10.1.0.1:21)
• TCP packets being processed and lists the corresponding acknowledge (ACK) packet numbers
and sequence (SEQ) numbers.
• The number of data bytes in the TCP packet is shown in parentheses--for example, (22).
• For each packet shown, the addresses and port numbers are shown separated by a colon. For
example, (10.1.0.1:21) indicates an IP address of 10.1.0.1:21 and a TCP port number of 21.
• Entries with an asterisk (*) after the word “CBAC” are entries when the fast path is used;
otherwise, the process path is used.
Common Router problems and solutions
• Security key: Wi-Fi security keys are phrases or sequences of letters and digits.
All devices that enter the network must be configured to use the Wi-Fi key
recognized by the router (or wireless access point).
Common Router problems and solutions
2. Update your Hardware or Firmware
• The reason for this step is twofold. You can take benefit of any additional
features and improvements of the new version of the firmware. Also, your
router will normally receive any critical security updates.
• Typically, you will have the choice of checking, evaluating, downloading, and
installing the latest firmware on your router's administration tab. The exact
steps depend on the make and model of your router, so check the specifics of
the router manufacturer's support site.
Common Router problems and solutions
3. Fix Overheating or Overloading
• You can set up a different Wi-Fi router or allow the "Guest Network" option for
your router.
• You can also set up a separate SSID and password for your host network to
avoid issues with your main network.
• This segregation would also work with your smart appliances and secure your
key devices from attacks on the Internet of Things.
• You can also use QoS (Quality of Service). QoS is a feature on some routers
that lets you prioritize traffic according to the type of data being transmitted.
Common Router problems and solutions
4. Remove MAC Address Restrictions
• A number of network routers support a function called MAC address
filtering.
• Check the router to ensure that either the MAC address filtering is off
or the MAC address of the computer is included in the list of allowed
connections.
Common Router problems and solutions
5. Check Wireless Signal Limitations
• If you have a newer router, check if it supports the 5GHz band. Newer
routers typically have dual-band capabilities.
• By allowing dual bands, you could hold older devices that only
support slower G specification on the 2.4GHz band and newer devices
on the beefier and faster 5GHz band.
• Ping:
• Use the ping and trace commands to check for connectivity.
• With VPN connections, each end of the connection must mirror the
other.
• Verify Settings:
• Do not make assumptions. Verify everything!
Router Troubleshooting Tools
• Using Router Diagnostic Commands
• Cisco routers provide numerous integrated commands to assist you in
monitoring and troubleshooting your internetwork.
Router Troubleshooting Tools
• Using show Commands
• The show commands are powerful monitoring and troubleshooting
tools.
• Monitor router behaviour during initial installation