Cisco Systems ASA 5585-X Manual De Usuario
24-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 24 Troubleshooting Connections and Resources
Testing Your Configuration
Passing Traffic Through the ASA
After you successfully ping the ASA interfaces, make sure that traffic can pass successfully through the
ASA. By default, you can ping from a high security interface to a low security interface. You just need
to enable ICMP inspection to allow returning traffic through. If you want to ping from high to low, then
you need to apply an ACL to allow traffic. If you use NAT, this test shows that NAT is operating correctly.
ASA. By default, you can ping from a high security interface to a low security interface. You just need
to enable ICMP inspection to allow returning traffic through. If you want to ping from high to low, then
you need to apply an ACL to allow traffic. If you use NAT, this test shows that NAT is operating correctly.
Ping from the host or router through the source interface to another host or router on another interface.
Repeat this step for as many interface pairs as you want to check.
Repeat this step for as many interface pairs as you want to check.
If the ping succeeds, a syslog message appears to confirm the address translation for routed mode
(305009 or 305011) and that an ICMP connection was established (302020). You can also enter either
the show xlate or show conns command to view this information.
(305009 or 305011) and that an ICMP connection was established (302020). You can also enter either
the show xlate or show conns command to view this information.
The ping might fail because NAT is not configured correctly. In this case, a syslog message appears,
showing that the NAT failed (305005 or 305006). If the ping is from an outside host to an inside host,
and you do not have a static translation, the following syslog message appears:
showing that the NAT failed (305005 or 305006). If the ping is from an outside host to an inside host,
and you do not have a static translation, the following syslog message appears:
%ASA-3-106010: deny inbound icmp.
Note
The ASA only shows ICMP debugging messages for pings to the ASA interfaces, and not for pings
through the ASA to other hosts.
through the ASA to other hosts.
Figure 24-5
Ping Failure Because the ASA is Not Translating Addresses
Detailed Steps
Command
Purpose
Step 1
policy-map global_policy
Edits the default global policy and enters policy-map
configuration mode.
configuration mode.
Step 2
class
inspection_default
Edits the default class map, which matches application traffic for
standard protocols and ports. For ICMP, this class matches all
ICMP traffic.
standard protocols and ports. For ICMP, this class matches all
ICMP traffic.
Step 3
inspect icmp
Enables the ICMP inspection engine and ensures that ICMP
responses can return to the source host.
responses can return to the source host.
Ping
Router
Router
Host
Host
Security
Appliance
126694