Cisco ASA 5506-X Configuration Manual page 293

Chapter 13 Troubleshooting Connections and Resources
Testing Your Configuration
hostname(config)# debug icmp trace
hostname(config)# logging monitor debug
hostname(config)# terminal monitor
hostname(config)# logging enable
With this configuration, you would see something like the following for a successful ping from an
external host (209.165.201.2) to the ASA outside interface (209.165.201.1):
hostname(config)# debug icmp trace
Inbound ICMP echo reply (len 32 id 1 seq 256) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 512) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 512) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 768) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 768) 209.165.201.1 > 209.165.201.2
Outbound ICMP echo request (len 32 id 1 seq 1024) 209.165.201.2 > 209.165.201.1
Inbound ICMP echo reply (len 32 id 1 seq 1024) 209.165.201.1 > 209.165.201.2
The output shows the ICMP packet length (32 bytes), the ICMP packet identifier (1), and the ICMP
sequence number (the ICMP sequence number starts at 0, and is incremented each time that a request is
sent).
When you are finished testing, disable debugging. Leaving the configuration in place can pose
performance and security risks. If you enabled logging just for testing, you can disable it also.
hostname(config)# no debug icmp trace
hostname(config)# no logging monitor debug
hostname(config)# terminal no monitor
hostname(config)# no logging enable
Procedure
Draw a diagram of your single-mode ASA or security context that shows the interface names, security
Step 1
levels, and IP addresses. The diagram should also include any directly connected routers and a host on
the other side of the router from which you will ping the ASA.
Cisco ASA Series Firewall CLI Configuration Guide
13-5