Home » Security » [Solved] How to Troubleshoot connectivity/VPN on the Cisco ASA Firewall

[Solved] How to Troubleshoot connectivity/VPN on the Cisco ASA Firewall

ICMP is a useful in many cases to troubleshoot connectivity – Cisco ASA has a build in packet-tracer to help you alleviate the issue below is the command that is used to simulate ICMP connectivity test thru the Cisco ASA firewall – In the below screenshot we are going to ping from the inside interface

In the below screenshot – you can see the inside IP address and outside interface

  1. 0 is the ICMP code fro Echo Reply
  2. 8 is the ICMP code Echo



The above command will generate the output in the below screenshot

  1. Phase 1 does the route lookup for the packet based on the destination address and you can see it chose the default route
  2. Phase 2 checks to see if the packet is eligible for NAT – you can see that it is dynamically translated to the global IP – phase 3 and Phase 4 are not matched  so they are allowed
  3. There is nothing in Phase 5 for IP inspect rule either
  4. Also passes the phase 6 for flow creations
  5.  The end result is to allow the packet




One thing I have ran into in the past the when you are troubleshooting VPN’s and running the packet tracer shows the results as “DROP” this could be an ACL issue on the other side so make sure the other side configured correctly since this makes you think that the issue is on your side



Once the tunnel has been established then you can run “sh crypto ipsec sa” the following command to make sure packets are encrypting and decrypting on both sides

you can see that packet count is 14 on both sides

Leave a Reply

Your email address will not be published. Required fields are marked *