Troubleshoot ASA using CLI commands

This section discusses some of the important commands you may want to use to troubleshoot the ASA and test basic connectivity. See CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide to learn about other troubleshooting scenarios and CLI commands. In the 'System Administration' section, navigate to the 'Testing and Troubleshooting' chapter.

You can use the Security Cloud Control CLI interface available for each ASA device to execute these commands. See Using the Security Cloud Control Command Line Interface to learn about how to use the CLI interface in Security Cloud Control.

NAT Policy Settings

Some of the important commands to determine the NAT settings are as follows:

  • To determine NAT policy statistics, use show nat.

  • To determine the NAT pools, including the addresses and ports allocated, and how many times they were allocated, use show nat pool.

For more commands related to NAT, see CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, and navigate to the 'Network Address Translation (NAT)' chapter.

Test Basic Connectivity: Pinging Addresses

You can ping the ASA device using the ping <IP address> command using the ASA CLI interface. To learn about

Display the Routing Table

Use the show route command to view the entries in the routing table.

ciscoasa# show route

Example output for a routing table of an ASA:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

SI - Static InterVRF

Gateway of last resort is 192.168.0.254 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.254, management

C 10.0.0.0 255.0.0.0 is directly connected, Outside

L 10.10.10.1 255.255.255.255 is directly connected, Outside

C 192.168.0.0 255.255.255.0 is directly connected, management

L 192.168.0.118 255.255.255.255 is directly connected, management

Monitor Switch Ports

  • show interface

    Displays interface statistics.

  • show interface ip brief

    Displays interface IP addresses and status.

  • show arp

Shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age of the ARP entry in seconds.

Example output of ARP entries:

management 10.10.32.129 0050.568a.977b 0

management 10.10.32.136 0050.568a.5387 21

LANFAIL 20.20.21.1 0050.568a.4d70 96

outsi 10.10.16.6 0050.568a.e6d3 3881

outsi 10.10.16.1 0050.568a.977b 5551