82-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter82 Troubleshooting
Testing Your Configuration
Figure82-5 Ping Failure Because the ASA is Not Translating Addresses
Step3 class-map ICMP-CLASS
match access-list ICMPACL
policy-map ICMP-POLICY
class ICMP-CLASS
inspect icmp
service-policy ICMP-POLICY global
Example:
hostname(config)# class-map ICMP-CLASS
hostname(config-cmap)# match access-list
ICMPACL
hostname(config)# policy-map ICMP-POLICY
hostname(config-pmap)# class ICMP-CLASS
hostname(config-pmap)# inspect icmp
hostname(config)# service-policy
ICMP-POLICY global
Enables the ICMP inspection engine and ensures that ICMP
responses may return to the source host.
For a host to access a lower security interface, you must enable
ICMP inspection. However, to access a higher security interface,
you must enable ICMP inspection and the preceding access list.
Note Alternatively, you can also apply the ICMP access list to
the destination interface to allow ICMP traffic back
through the ASA.
Step4 logging on
Example:
hostname(config)# logging on
Enables syslog message generation.
If the ping succeeds, a syslog message appears to confirm the
address translation for routed mode (305009 or 305011) and that
an ICMP connection was established (302020). You can also enter
either the show xlate or show conns command to view this
information.
If the ping fails for transparent mode, contact Cisco TAC.
For routed mode, the ping might fail because NAT is not
configured correctly (see Figure82-5). In this case, a syslog
message appears, showing that the NAT failed (305005 or
305006). If the ping is from an outside host to an inside host, and
you do not have a static translation, the following syslog message
appears:
%ASA-3-106010: deny inbound icmp.
Note The ASA only shows ICMP debugging messages for
pings to the ASA interfaces, and not for pings through the
ASA to other hosts.
Ping
Router Router
Host Host
Security
Appliance
126694