Cisco PIX 500 Series Configuration Manual page 963

Chapter 43 Troubleshooting the Security Appliance
Figure 43-1 Network Diagram with Interfaces, Routers, and Hosts
Host
10.1.1.56
10.1.1.2
209.265.200.226
Router
192.168.1.2
209.165.201.2
dmz1
209.165.201.1
192.1
68.1.
dmz2
192.168.2.1
192.168.0.1
security40
security100
192.168.2.2
Router
10.1.2.2
10.1.2.90
Host
Ping each security appliance interface from the directly connected routers. For transparent mode, ping
Step 2
the management IP address. This test ensures that the security appliance interfaces are active and that
the interface configuration is correct.
A ping might fail if the security appliance interface is not active, the interface configuration is incorrect,
or if a switch between the security appliance and a router is down (see
debug messages or system log messages appear, because the packet never reaches the security appliance.
Figure 43-2
Router
If the ping reaches the security appliance, and the security appliance responds, debug messages similar
to the following appear:
ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist
(see
OL-12172-03
Host
209.265.200.230
10.1.3.2
Router
192.168.3.2
outside
dmz3
192.1
security0
68.3.
Routed Security
Appliance
dmz4
inside
192.168.4.1
security80
192.168.0.2 192.168.4.2
Router
10.1.4.2
10.1.0.2
10.1.0.34
Host
Ping Failure at Security Appliance Interface
Ping
Figure 43-3).
Host
10.1.3.6
Router
Router
10.1.4.67
Host
Cisco Security Appliance Command Line Configuration Guide
Testing Your Configuration
Host
209.165.201.24
209.165.201.1
Router
10.1.0.1
outside
security0
Transp. Security
Appliance 10.1.0.3
inside
security100
10.1.0.2
Router
10.1.1.1
10.1.1.5
Host
Figure 43-2). In this case, no
Security
Appliance
43-3