24-2

Cisco ASA Series Firewall ASDM Configuration Guide
Chapter24 Troubleshooting Connections and Resources
Testing Your Configuration

The diagram should also include any directly connected routers and a host on the other side of the router

from which you will ping the ASA. (See Figure24-1.)

Figure24-1 Network Diagram with Interfaces, Routers, and Hosts
Step2 Ping each ASA interface from the directly connected routers. For transparent mode, ping the

management IP address. This test ensures that the ASA interfaces are active and that the interface

configuration is correct.

A ping might fail if the ASA interface is not active, the interface configuration is incorrect, or if a switch

between the ASA and a router is down (see Figure 24-2). In this case, no debugging messages or syslog

messages appear, because the packet never reaches the ASA.

Figure24-2 Ping Failure at the ASA Interface

If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:

ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1

If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist

(see Figure 24-3).

Routed ASA
10.1.1.56 10.1.3.6209.265.200.230
10.1.2.90 10.1.4.6710.1.0.34
209.165.201.24
10.1.1.5
Transp. ASA
10.1.0.3
Host
Host
dmz1
192.1
68.1.
outside
209.165.201.1
security0
inside
192.168.0.1
security100
outside
security0
inside
security100
dmz2
192.168.2.1
security40
dmz3
192.1
68.3.
dmz4
192.168.4.1
security80
330857
Host Host
Host Host
Host
Host
Router
Router Router
Router
Router Router Router
Router
Ping
Router
Host
?

ASA

330858