13-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Troubleshooting Connections and Resources
Testing Your Configuration
The
global
keyword applies the policy map to all interfaces, and
interface
applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Step 5
Increase the rate limit on ICMP Unreachable messages so that the ASA will appear on trace route output.
icmp unreachable rate-limit
rate
burst-size
size
Example
hostname(config)# icmp unreachable rate-limit 50 burst-size 1
The rate limit can be 1-100, with 1 being the default. The burst size is meaningless, but must be 1-10.
Example
The following example decrements TTL for all traffic globally and increase the ICMP unreachable limit
to 50.
hostname(config)#
class-map global-policy
hostname(config-cmap)#
match any
hostname(config-cmap)#
exit
hostname(config)#
policy-map global_policy
hostname(config-pmap)#
class global-policy
hostname(config-pmap-c)#
set connection decrement-ttl
hostname(config-pmap-c)#
exit
hostname(config)#
icmp unreachable rate-limit 50 burst-size 6
Determine Packet Routes
Use Traceroute to help you to determine the route that packets will take to their destination. A traceroute
works by sending UDP packets to a destination on an invalid port. Because the port is not valid, the
routers along the way to the destination respond with an ICMP Time Exceeded Message, and report that
error to the ASA.
The traceroute shows the result of each probe sent. Every line of output corresponds to a TTL value in
increasing order. The following table explains the output symbols.
Output Symbol
Description
*
No response was received for the probe within the timeout period.
nn
msec
For each node, the round-trip time (in milliseconds) for the specified number of
probes.
!N.
ICMP network unreachable.
!H
ICMP host unreachable.
!P
ICMP unreachable.
!A
ICMP administratively prohibited.
?
Unknown ICMP error.
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......