Cisco Systems ASA 5505, ASA 5580 Pinging From an ASA Interface, Pinging to an ASA Interface, 24-4

Chapter 24 Troubleshooting Connections and Resources

Testing Your Configuration

Administrators can use the ASDM Ping interactive diagnostic tool in these ways:

•Loopback testing of two interfaces—A ping may be initiated from one interface to another on the same ASA, as an external loopback test to verify basic “up” status and operation of each interface.

•Pinging to an ASA—The Ping tool can ping an interface on another ASA to verify that it is up and responding.

•Pinging through an ASA—Ping packets originating from the Ping tool may pass through an intermediate ASA on their way to a device. The echo packets will also pass through two of its interfaces as they return. This procedure can be used to perform a basic test of the interfaces, operation, and response time of the intermediate unit.

•Pinging to test questionable operation of a network device—A ping may be initiated from an ASA interface to a network device that is suspected of functioning incorrectly. If the interface is configured correctly and an echo is not received, there may be problems with the device.

•Pinging to test intermediate communications—A ping may be initiated from an ASA interface to a network device that is known to be functioning correctly and returning echo requests. If the echo is received, the correct operation of any intermediate devices and physical connectivity is confirmed.

Pinging From an ASA Interface

For basic testing of an interface, you can initiate a ping from an ASA interface to a network device that you know is functioning correctly and returning replies through the intermediate communications path. For basic testing, make sure you do the following:

•Verify receipt of the ping from the ASA interface by the “known good” device. If the ping is not received, a problem with the transmitting hardware or interface configuration may exist.

•If the ASA interface is configured correctly and it does not receive an echo reply from the “known good” device, problems with the interface hardware receiving function may exist. If a different interface with “known good” receiving capability can receive an echo after pinging the same “known good” device, the hardware receiving problem of the first interface is confirmed.

Pinging to an ASA Interface

When you try to ping to an ASA interface, verify that the pinging response (ICMP echo reply) is enabled for that interface by choosing Tools > Ping. When pinging is disabled, the ASA cannot be detected by other devices or software applications, and does not respond to the ASDM Ping tool.

Pinging Through the ASA Interface

To verify that other types of network traffic from “known good” sources are being passed through the ASA, choose Monitoring > Interfaces > Interface Graphs or an SNMP management station.

To enable internal hosts to ping external hosts, configure ICMP inspection. Choose Configuration > Firewall > Service Policies.

Troubleshooting the Ping Tool

When pings fail to receive an echo, it may be the result of a configuration or operational error in an ASA, and not necessarily because of no response from the IP address being pinged. Before using the Ping tool to ping from, to, or through an ASA interface, perform the following basic checks:

•Verify that interfaces are configured. Choose Configuration > Device Setup > Interfaces.

Cisco ASA Series Firewall ASDM Configuration Guide

24-4