Cisco ASA 5506-X Configuration Manual page 295
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 13
Troubleshooting Connections and Resources
Figure 13-3
Router
Step 3
Ping each ASA interface from a remote host. For transparent mode, ping the management IP address.
This test checks whether the directly connected router can route the packet between the host and the
ASA, and whether the ASA can correctly route the packet back to the host.
A ping might fail if the ASA does not have a return route to the host through the intermediate router (see
the following figure). In this case, the debugging messages show that the ping was successful, but syslog
message 110001 appears, indicating a routing failure has occurred.
Figure 13-4
Router
Ping from an ASA interface to a network device that you know is functioning correctly.
Step 4
If the ping is not received, a problem with the transmitting hardware or interface configuration may
•
exist.
If the ASA interface is configured correctly and it does not receive an echo reply from the "known
•
good" device, problems with the interface hardware receiving function may exist. If a different
interface with "known good" receiving capability can receive an echo after pinging the same "known
good" device, the hardware receiving problem of the first interface is confirmed.
Ping from the host or router through the source interface to another host or router on another interface.
Step 5
Repeat this step for as many interface pairs as you want to check. If you use NAT, this test shows that
NAT is operating correctly.
If the ping succeeds, a syslog message appears to confirm the address translation for routed mode
(305009 or 305011) and that an ICMP connection was established (302020). You can also enter either
the show xlate or show conns command to view this information.
The ping might fail because NAT is not configured correctly. In this case, a syslog message appears,
showing that the NAT failed (305005 or 305006). If the ping is from an outside host to an inside host,
and you do not have a static translation, you get message 106010.
Figure 13-5
Host
Ping Failure Because of IP Addressing Problems
Ping
192.168.1.2
192.168.1.2
Host
Ping Failure Because the ASA Has No Return Route
Ping
Ping Failure Because the ASA is Not Translating Addresses
Ping
Router
192.168.1.1
Appliance
Security
Router
Appliance
Cisco ASA Series Firewall CLI Configuration Guide
Testing Your Configuration
Security
ASA
Host
13-7
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
