82-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter82 Troubleshooting
Testing Your Configuration
Disabling the Test Configuration
After you complete your testing, disable the test configuration that allows ICMP to and through the ASA
and that prints debugging messages. If you leave this configuration in place, it can pose a serious security
risk. Debugging messages also slow the ASA performance.
To disable the test configuration, perform the following steps:
Determining Packet Routing with Traceroute
You can trace the route of a packet using the traceroute feature, which is accessed with the traceroute
command. A traceroute works by sending UDP packets to a destination on an invalid port. Because the
port is not valid, the routers along the way to the destination respond with an ICMP Time Exceeded
Message, and report that error to the ASA.
Tracing Packets with Packet Tracer
The packet tracer tool provides packet tracing for packet sniffing and network fault isolation, as well as
detailed information about the packets and how they are processed by the ASA. If a configuration
command did not cause the packet to drop, the packet tracer tool provides information about the cause
in an easily readable manner.
In addition, you can trace the lifespan of a packet through the ASA to see whether the packet is operating
correctly with the packet tracer tool. This tool enables you to do the following:
Command Purpose
Step1 no debug icmp trace
Example:
hostname (config)# no debug
icmp trace
Disables ICMP debugging messages.
Step2 no logging on
Example:
hostname (config)# no
logging on
Disables logging.
Step3 no access-list ICMPACL
Example:
hostname (config)# no
access-list ICMPACL
Removes the ICMPACL access list, and deletes the related access-group
commands.
Step4 no service-policy
ICMP-POLICY
Example:
hostname (config)# no
service-policy ICMP-POLICY
(Optional) Disables the ICMP inspection engine.