ICMP is a useful in many cases to troubleshoot connectivity – Cisco ASA has a build in packet-tracer to help you alleviate the issue below is the command that is used to simulate ICMP connectivity test thru the Cisco ASA firewall – In the below screenshot we are going to ping 4.2.2.2 from the inside interface
In the below screenshot – you can see the inside IP address and outside interface
- 0 is the ICMP code fro Echo Reply
- 8 is the ICMP code Echo
The above command will generate the output in the below screenshot
- Phase 1 does the route lookup for the packet based on the destination address and you can see it chose the default route
- Phase 2 checks to see if the packet is eligible for NAT – you can see that it is dynamically translated to the global IP – phase 3 and Phase 4 are not matched so they are allowed
- There is nothing in Phase 5 for IP inspect rule either
- Also passes the phase 6 for flow creations
- The end result is to allow the packet
One thing I have ran into in the past the when you are troubleshooting VPN’s and running the packet tracer shows the results as “DROP” this could be an ACL issue on the other side so make sure the other side configured correctly since this makes you think that the issue is on your side
Once the tunnel has been established then you can run “sh crypto ipsec sa” the following command to make sure packets are encrypting and decrypting on both sides
you can see that packet count is 14 on both sides