24-4
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 24 Troubleshooting Connections and Resources
Testing Your Configuration
Administrators can use the ASDM Ping interactive diagnostic tool in these ways:
• Loopback testing of two interfaces—A ping may be initiated from one interface to another on the
same ASA, as an external loopback test to verify basic “up” status and operation of each interface.
• Pinging to an ASA—The Ping tool can ping an interface on another ASA to verify that it is up and
responding.
• Pinging through an ASA—Ping packets originating from the Ping tool may pass through an
intermediate ASA on their way to a device. The echo packets will also pass through two of its
interfaces as they return. This procedure can be used to perform a basic test of the interfaces,
operation, and response time of the intermediate unit.
• Pinging to test questionable operation of a network device—A ping may be initiated from an ASA
interface to a network device that is suspected of functioning incorrectly. If the interface is
configured correctly and an echo is not received, there may be problems with the device.
• Pinging to test intermediate communications—A ping may be initiated from an ASA interface to a
network device that is known to be functioning correctly and returning echo requests. If the echo is
received, the correct operation of any intermediate devices and physical connectivity is confirmed.
Pinging From an ASA Interface
For basic testing of an interface, you can initiate a ping from an ASA interface to a network device that
you know is functioning correctly and returning replies through the intermediate communications path.
For basic testing, make sure you do the following:
• Verify receipt of the ping from the ASA interface by the “known good” device. If the ping is not
received, a problem with the transmitting hardware or interface configuration may exist.
• If the ASA interface is configured correctly and it does not receive an echo reply from the “known
good” device, problems with the interface hardware receiving function may exist. If a different
interface with “known good” receiving capability can receive an echo after pinging the same “known
good” device, the hardware receiving problem of the first interface is confirmed.
Pinging to an ASA Interface
When you try to ping to an ASA interface, verify that the pinging response (ICMP echo reply) is enabled
for that interface by choosing Tools > Ping. When pinging is disabled, the ASA cannot be detected by
other devices or software applications, and does not respond to the ASDM Ping tool.
Pinging Through the ASA Interface
To verify that other types of network traffic from “known good” sources are being passed through the
ASA, choose Monitoring > Interfaces > Interface Graphs or an SNMP management station.
To enable internal hosts to ping external hosts, configure ICMP inspection. Choose Configuration >
Firewall > Service Policies.
Troubleshooting the Ping Tool
When pings fail to receive an echo, it may be the result of a configuration or operational error in an ASA,
and not necessarily because of no response from the IP address being pinged. Before using the Ping tool
to ping from, to, or through an ASA interface, perform the following basic checks:
• Verify that interfaces are configured. Choose Configuration > Device Setup > Interfaces.