Troubleshoot ASA using CLI commands
This section discusses some of the important commands you may want to use to troubleshoot the ASA and test basic connectivity. See CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide to learn about other troubleshooting scenarios and CLI commands. In the 'System Administration' section, navigate to the 'Testing and Troubleshooting' chapter.
You can use the Security Cloud Control CLI interface available for each ASA device to execute these commands. See Using the Security Cloud Control Command Line Interface to learn about how to use the CLI interface in Security Cloud Control.
NAT Policy Settings
Some of the important commands to determine the NAT settings are as follows:
-
To determine NAT policy statistics, use show nat.
-
To determine the NAT pools, including the addresses and ports allocated, and how many times they were allocated, use show nat pool.
For more commands related to NAT, see CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, and navigate to the 'Network Address Translation (NAT)' chapter.
Test Basic Connectivity: Pinging Addresses
You can ping the ASA device using the ping <IP address> command using the ASA CLI interface. To learn about
Display the Routing Table
Use the show route command to view the entries in the routing table.
ciscoasa# show route
Example output for a routing table of an ASA:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 192.168.0.254 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.0.254, management
C 10.0.0.0 255.0.0.0 is directly connected, Outside
L 10.10.10.1 255.255.255.255 is directly connected, Outside
C 192.168.0.0 255.255.255.0 is directly connected, management
L 192.168.0.118 255.255.255.255 is directly connected, management
Monitor Switch Ports
-
show interface
Displays interface statistics.
-
show interface ip brief
Displays interface IP addresses and status.
-
show arp
Shows dynamic, static, and proxy ARP entries. Dynamic ARP entries include the age of the ARP entry in seconds.
Example output of ARP entries:
management 10.10.32.129 0050.568a.977b 0
management 10.10.32.136 0050.568a.5387 21
LANFAIL 20.20.21.1 0050.568a.4d70 96
outsi 10.10.16.6 0050.568a.e6d3 3881
outsi 10.10.16.1 0050.568a.977b 5551