We have a site-to-site VPN setup between 506 and 501. Some of the functions of our custom software are not working properly. I'd like to check whether the firewalls are dropping any pockets. I have access-list setup that open a few ports. I'd like to be able to see if any traffic comes in to any ports not open by access list. I'm new to Pix firewalls and not sure what I need to use in this case. Debug access-list or debug packet commands.
Debugging on pix501/506
12 years 4 months ago #14567
while writing acess list end it with " log " for example
access-list allow_ping permit icmp any any eq www log
by giving show access-list you can see the hit counts. While accessing that application check whether the hit count is increasing.
If the hit count is increasing the access list is blocking the application for that you have open the port in the access list.