Cisco ASA 5505 User Manual

82-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 82 Troubleshooting

Testing Your Configuration

Figure 82-1

Network Diagram with Interfaces, Routers, and Hosts

Step 2

Ping each ASA interface from the directly connected routers. For transparent mode, ping the
management IP address. This test ensures that the ASA interfaces are active and that the interface
configuration is correct.

A ping might fail if the ASA interface is not active, the interface configuration is incorrect, or if a switch
between the ASA and a router is down (see

Figure 82-2

). In this case, no debug messages or syslog

messages appear, because the packet never reaches the ASA.

Figure 82-2

Ping Failure at the ASA Interface

If the ping reaches the ASA, and it responds, debugging messages similar to the following appear:

ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2

ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1

If the ping reply does not return to the router, then a switch loop or redundant IP addresses may exist
(see

Figure 82-3

).

Routed Security
Appliance

10.1.1.56

10.1.3.6

209.265.200.230

10.1.2.90

10.1.4.67

10.1.0.34

209.165.201.24

10.1.1.5

Transp. Security
Appliance 10.1.0.3

Host

Host

10.1.1.2

192.168.1.2

209.265.200.226

209.165.201.2

10.1.3.2

192.168.3.2

192.168.2.2

10.1.2.2

192.168.0.2

10.1.0.2

192.168.4.2

10.1.4.2

dmz1

192.1

68.1.

outside

209.165.201.1

security0

inside

192.168.0.1

security100

209.165.201.1

10.1.0.1

10.1.0.2

10.1.1.1

outside

security0

inside

security100

dmz2

192.168.2.1

security40

dmz3
192.1
68.3.

dmz4
192.168.4.1
security80

126692

Host

Host

Host

Host

Host

Host

Router

Router

Router

Router

Router

Router

Router

Router

Ping

Security

Appliance

Router

126695