82-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter82 Troubleshooting
Testing Your Configuration
Figure82-3 Ping Failure Because of IP Addressing Problems
Step3 Ping each ASA interface from a remote host. For transparent mode, ping the management IP address.
This test checks whether the directly connected router can route the packet between the host and the
ASA, and whether the ASA can correctly route the packet back to the host.
A ping might fail if the ASA does not have a return route to the host through the intermediate router (see
Figure 82-4). In this case, the debugging messages show that the ping was successful, but syslog
message 110001 appears, indicating a routing failure.
Figure82-4 Ping Failure Because the Security Appliance has No Return Route
Passing Traffic Through the ASA
After you successfully ping the ASA interfaces, make sure that traffic can pass successfully through the
ASA. For routed mode, this test shows that NAT is operating correctly, if configured. For transparent
mode, which does not use NAT, this test confirms that the ASA is operating correctly. If the ping fails in
transparent mode, contact the Cisco TAC.
To ping between hosts on different interfaces, perform the following steps:
192.168.1.1192.168.1.2
192.168.1.2
Ping
Router Security
Appliance
Host
126696
Ping
Router
Host

?

Security
Appliance
126693
Command Purpose
Step1 access-list ICMPACL extended permit icmp
any any
Example:
hostname(config)# access-list ICMPACL
extended permit icmp any any
Adds an access list to allow ICMP traffic from any source host.
Note By default, when hosts access a lower security interface,
all traffic is allowed through. However, to access a higher
security interface, you need the preceding access list.
Step2 access-group ICMPACL in interface
interface_name
Example:
hostname(config)# access-group ICMPACL in
interface inside
Assigns the access list to each source interface. Repeat this
command for each source interface.