Troubleshooting

Perform the following steps to ensure that the configuration is correct.

  1. Make sure that each interface you intend to operate has the shutdown option disabled. Refer to Configuring firewall Interfaces for more information.

  2. Make sure that the IP addresses you use in the ip address, global, nat, and route commands are unique. In addition, the ip address command IP address cannot be the same as a router or any hosts. Use the following commands to examine this information.
    show ip address
    show global
    show route

  3. Use the show route command to make sure you have a default route command statement pointing to the outside router. A default route command follows:
    route outside 0 0 ip_address_of_outside_ router 1

    Replace ip_address_of_outside_router with the IP address of the nearest router on the outside interface.

    If you do not see this command in the configuration, add it now. A default route command is crucial to get other commands to work correctly. If you are testing the network before putting it into production, get a router and add it to the test network so that the firewall has a default route.

  4. Make sure that the nat and global command statements have the same NAT ID, as shown in the following example:
    nat ( dmz) 1 0 0
    global (outside) 1 209.165.201.4 netmask 255.255.255.224

    The number 1 after the interface name is the NAT ID.

    Also, it is best to keep all the nat command statements and global command statements in the same NAT ID even if the global command statements refer to different interfaces, for example:

    nat (inside) 1 0 0
    nat (dmz1) 1 0 0
    nat (dmz2) 1 0 0
    global (outside) 1 209.165.201.3 netmask 255.255.255.224
    global (outside) 1 209.165.201.10-209.165.201.20 netmask 255.255.255.224
    global (dmz1) 1 192.168.1.20-192.168.1.254 netmask 255.255.255.0

    The nat command statements let users on the inside, dmz1, and dmz2 interfaces start outside connections. The first global command statement creates a PAT address on the outside interface with IP address 209.165.201.3. The second global command statement creates a pool of IP addresses in the range of 209.165.201.10 to 209.165.201.20 on the outside interface.

    The third global command statement creates a pool of IP addresses on the dmz1 interface in the range of 192.168.1.20 to 192.168.1.254.

  5. Use the show global command to make sure that a range of global addresses starts from a low number and goes to a high number. In addition, it is good to leave a few addresses before the range for static command statements, hosts, or additional routers.

  6. If the ISP (Internet service provider) has only provided a few registered addresses, always include a PAT address. This expands the pool of addresses, if needed.

  7. Use the show global command to make sure that all addresses in the global pool are in the same subnet. For example, if you have a 255.255.255.240 subnet mask, the pool of global addresses could not contain addresses 209.165.201.10 to 209.165.201.20 because this would cross subnet boundaries.

    Also make sure that the global pool contains correctly subnetted network addresses and broadcast addresses. For example, with the 255.255.255.240 mask, specifying a global pool of 209.165.201.16 to 209.165.201.31 would not work because 209.165.201.16 is a network address and 209.165.201.31 is a broadcast address.

    • Use the show ip address command to ensure that addresses on each interface are in the correct subnet for that interface. Each interface needs its own subnet. For example, if the outside interface has the registered address 209.165.201.1 with a 255.255.255.224 subnet mask, the hosts on the outside interface, the outside router the global pool, and any addresses set aside for static command statements should all have addresses in this subnet in the range of 209.165.201.2 through 209.165.201.30.

    • If you are using subnetting, put the subnet value in the command statements that let you specify a mask. For example, if you are using a .224 subnet mask, the ip address command would appear as follows.
      ip address outside 209.165.201.1 255.255.255.224

      The global command would appear as follows:

      global (outside) 1 209.165.201.10-209.165.201.30 netmask 255.255.255.224

    1. Use the show nat command to view nat command statements in the configuration. If you need to restrict IP addresses in nat command statements, do not overlap the groups. An example follows.
      nat (dmz1) 1 10.0.0.0 255.0.0.0

      If you want only users on the 10.0.0.0 network to start connections, do not specify a second nat group with address 10.1.1.0 because this network would be included in 10.0.0.0.

    2. Use the show ip address command to check all IP addresses to be sure you have the correct addresses values for the devices.

      Make sure all inside interface or perimeter interface hosts and routers have their default routes set to the respective firewall interface IP address.

      • At the firewall Cli prompt, enter the show interface command to ensure that the interface is functioning and that the cables are connected correctly. If the display contains "line protocol is up," then the cable type used is correct and connected to the firewall.

        If the display states that each interface "is up," then the interface is ready for use. If both of these are true, check "packets input" and "packets output." If packets are being received and transmitted, the firewall is correctly configured and a cable is attached.

      • Check that network cables are attached.

    3. Ping through the firewall—Once you can ping the firewall's inside interface, try pinging through the firewall to a host on another interface, such as the outside. If there is not a host on the interface, ping the router. If the ping is not successful, check the debug messages on the firewall console to be sure both inbound and outbound pings were received.

      If you see the Inbound message without the Outbound, then the host or router is not responding. Check that the nat and global command statements are correct and that the host or router is on the same subnet as the outside interface. Successful ping debug messages appear as in this example.

      Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
      Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2

    4. Add static and access-list command statements and test again—Once you can ping successfully across interfaces of higher security levels to lower security levels, such as inside to outside, inside to dmz, or dmz2 to dmz1, add static and access-list command statements so that you can ping from the lower security level interfaces to the higher security level interfaces.