24-2
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 24 Troubleshooting Connections and Resources
Testing Your Configuration
The diagram should also include any directly connected routers and a host on the other side of the router
from which you will ping the ASA. (See Figure 24-1.)
Figure 24-1 Network Diagram with Interfaces, Routers, and Hosts
Step 2
Ping each ASA interface from the directly connected routers. For transparent mode, ping the
management IP address. This test ensures that the ASA interfaces are active and that the interface
configuration is correct.
A ping might fail if the ASA interface is not active, the interface configuration is incorrect, or if a switch
between the ASA and a router is down (see Figure 24-2). In this case, no debugging messages or syslog
messages appear, because the packet never reaches the ASA.
Figure 24-2 Ping Failure at the ASA Interface
If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:
ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist
(see Figure 24-3).
Routed ASA
10.1.1.56 10.1.3.6209.265.200.230
10.1.2.90 10.1.4.6710.1.0.34
209.165.201.24
10.1.1.5
Transp. ASA
10.1.0.3
Host
Host
dmz1
192.1
68.1.
outside
209.165.201.1
security0
inside
192.168.0.1
security100
outside
security0
inside
security100
dmz2
192.168.2.1
security40
dmz3
192.1
68.3.
dmz4
192.168.4.1
security80
330857
Host
Host
Host
Host
Host
Host
Router
Router Router
Router
Router Router
Router
Router
Ping
Router
Host
?
ASA
330858