Disabling the test configuration, Determining packet routing with traceroute, Tracing packets with packet tracer – Cisco ASA 5505 User Manual

Page 1863: Disabling the test configuration” section on

Advertising
background image

82-7

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 82 Troubleshooting

Testing Your Configuration

Disabling the Test Configuration

After you complete your testing, disable the test configuration that allows ICMP to and through the ASA
and that prints debugging messages. If you leave this configuration in place, it can pose a serious security
risk. Debugging messages also slow the ASA performance.

To disable the test configuration, perform the following steps:

Determining Packet Routing with Traceroute

You can trace the route of a packet using the traceroute feature, which is accessed with the traceroute
command. A traceroute works by sending UDP packets to a destination on an invalid port. Because the
port is not valid, the routers along the way to the destination respond with an ICMP Time Exceeded
Message, and report that error to the ASA.

Tracing Packets with Packet Tracer

The packet tracer tool provides packet tracing for packet sniffing and network fault isolation, as well as
detailed information about the packets and how they are processed by the ASA. If a configuration
command did not cause the packet to drop, the packet tracer tool provides information about the cause
in an easily readable manner.

In addition, you can trace the lifespan of a packet through the ASA to see whether the packet is operating
correctly with the packet tracer tool. This tool enables you to do the following:

Command

Purpose

Step 1

no debug icmp trace

Example:

hostname (config)# no debug

icmp trace

Disables ICMP debugging messages.

Step 2

no logging on

Example:

hostname (config)# no

logging on

Disables logging.

Step 3

no access-list ICMPACL

Example:

hostname (config)# no

access-list ICMPACL

Removes the ICMPACL access list, and deletes the related access-group
commands.

Step 4

no service-policy

ICMP-POLICY

Example:

hostname (config)# no

service-policy ICMP-POLICY

(Optional) Disables the ICMP inspection engine.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals