Cisco ASA 5506-X Configuration Manual page 298
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Testing Your Configuration
Procedure
Step 1
Trace the route to a destination.
traceroute [destination_ip | hostname}
[source {source_ip | source-interface}] [numeric] [timeout timeout_value]
[probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]
Normally, you simply include the destination IP address or hostname, such as traceroute
www.example.com. However, you can adjust the characteristics of the trace if desired:
•
•
•
•
•
•
•
Example
hostname# traceroute 209.165.200.225
Type escape sequence to abort.
Tracing the route to 209.165.200.225
1 10.83.194.1 0 msec 10 msec 0 msec
2 10.83.193.65 0 msec 0 msec 0 msec
3 10.88.193.101 0 msec 10 msec 0 msec
4 10.88.193.97 0 msec 0 msec 10 msec
5 10.88.239.9 0 msec 10 msec 0 msec
6 10.88.238.65 10 msec 10 msec 0 msec
7 172.16.7.221 70 msec 70 msec 80 msec
8 209.165.200.225 70 msec 70 msec 70 msec
Tracing Packets to Test Policy Configuration
You can test your policy configuration by modeling a packet based on source and destination addressing
and protocol characteristics. The trace does policy lookup to test access rules, NAT, routing, and so forth,
to see if the packet would be permitted or denied.
By testing packets this way, you can see the results of your policies and test whether the types of traffic
you want to allow or deny are handled as desired. Besides verifying your configuration, you can use the
tracer to debug unexpected behavior, such as packets being denied when they should be allowed.
Cisco ASA Series Firewall CLI Configuration Guide
13-10
source {source_ip | source-interface}—Specifies the interface to use as the source of the trace. You
can specify the interface by name or by IP address. In transparent mode, you must use the
management address.
numeric—Indicates that only the IP addresses should be shown in the trace route. Without this
keyword, the trace route does DNS lookups for addresses and includes DNS names, assuming that
you configure DNS.
timeout timeout_value—How long to wait for a response before timing out. The default is 3
seconds.
probe probe_num—How many probes to send at each TTL level. The default is 3.
ttl min_ttl max_ttl—The minimum and maximum time-to-live values for the probes. The minimum
default is one, but you can set it to a higher value to suppress the display of known hops. The
maximum default is 30. The traceroute terminates when the packet reaches the destination or when
the maximum value is reached.
port port_value—The UDP port to use. The default is 33434.
use-icmp—Send ICMP packets instead of UDP packets for probes.
Chapter 13
Troubleshooting Connections and Resources
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
