Download Print this page

Cisco ASA 5506-X Configuration Manual page 297

Cli
Hide thumbs Also See for ASA 5506-X:

Advertisement

Chapter 13
Troubleshooting Connections and Resources
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Increase the rate limit on ICMP Unreachable messages so that the ASA will appear on trace route output.
Step 5
icmp unreachable rate-limit rate burst-size size
Example
hostname(config)# icmp unreachable rate-limit 50 burst-size 1
The rate limit can be 1-100, with 1 being the default. The burst size is meaningless, but must be 1-10.
Example
The following example decrements TTL for all traffic globally and increase the ICMP unreachable limit
to 50.
hostname(config)# class-map global-policy
hostname(config-cmap)# match any
hostname(config-cmap)# exit
hostname(config)# policy-map global_policy
hostname(config-pmap)# class global-policy
hostname(config-pmap-c)# set connection decrement-ttl
hostname(config-pmap-c)# exit
hostname(config)# icmp unreachable rate-limit 50 burst-size 6
Determine Packet Routes
Use Traceroute to help you to determine the route that packets will take to their destination. A traceroute
works by sending UDP packets to a destination on an invalid port. Because the port is not valid, the
routers along the way to the destination respond with an ICMP Time Exceeded Message, and report that
error to the ASA.
The traceroute shows the result of each probe sent. Every line of output corresponds to a TTL value in
increasing order. The following table explains the output symbols.
Output Symbol
*
nn msec
!N.
!H
!P
!A
?
Description
No response was received for the probe within the timeout period.
For each node, the round-trip time (in milliseconds) for the specified number of
probes.
ICMP network unreachable.
ICMP host unreachable.
ICMP unreachable.
ICMP administratively prohibited.
Unknown ICMP error.
Cisco ASA Series Firewall CLI Configuration Guide
Testing Your Configuration
13-9

Hide quick links:

Advertisement

loading