ping [ip]
Tests basic network connectivity from the ASA to a remote host using ICMP echo requests.
Overview
The ping command on Cisco ASA Firewall is a fundamental diagnostic tool used to verify IP-level connectivity between the ASA and another network device. It sends ICMP Echo Request packets to a specified destination IP address and waits for ICMP Echo Reply packets. The command is executed in Privileged EXEC mode and is essential for troubleshooting network reachability, routing issues, and firewall rule misconfigurations. On the ASA, the ping command supports several optional parameters to customize the test: repeat count (number of packets), timeout (seconds to wait for a reply), data pattern (hexadecimal pattern for the payload), size (packet size in bytes), source (source IP address or interface), validate (enable reply validation), and df-bit (set the Don't Fragment bit). Unlike Cisco IOS routers, the ASA's ping command uses keyword-based syntax rather than a prompted interactive mode. The ASA can ping through VPN tunnels if the traffic matches the crypto access list and the tunnel is active. It is important to note that the ASA's ICMP inspection engine may affect ping behavior; by default, ICMP inspection is enabled and allows return traffic. However, if ICMP inspection is disabled, the ASA may not properly forward ping replies, leading to false negatives. The ping command is often the first step in a troubleshooting workflow: after verifying interface status and routing, a ping confirms Layer 3 connectivity. If ping fails, the next steps include checking ACLs, NAT rules, routing tables, and VPN status. The ASA also supports extended ping with more options, but the basic ping is sufficient for most scenarios. Understanding how to interpret ping output is crucial for network engineers, especially in security-focused environments where ICMP may be restricted.
ping [ip] [repeat count] [timeout seconds] [data hex-pattern] [size bytes] [source ip] [validate] [df-bit]When to Use This Command
- Verify connectivity to a next-hop router or upstream firewall after configuring a static route.
- Test reachability to an internal server from the ASA to confirm routing and ACLs permit traffic.
- Diagnose asymmetric routing issues by pinging with a specific source interface IP.
- Validate that a VPN tunnel is up by pinging a remote private IP address across the tunnel.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| ip | ip-address | The destination IPv4 address to ping. This is the only required parameter. |
| repeat | repeat count | Number of ICMP echo requests to send. Default is 5. Range is 1 to 2147483647. |
| timeout | timeout seconds | Time in seconds to wait for each reply. Default is 2. Range is 1 to 65535. |
| size | size bytes | Size of the ICMP packet payload in bytes. Default is 100. Range is 36 to 18024. |
| source | source ip-address | Source IP address to use for the ping. Useful for testing specific interface connectivity. |
| validate | validate | Enables validation of the reply data. The ASA checks that the reply matches the sent data pattern. |
| df-bit | df-bit | Sets the Don't Fragment bit in the IP header. Used to test Path MTU discovery. |
| data | data hex-pattern | Hexadecimal pattern for the ICMP payload. Default is 0xABCD. Useful for testing data integrity. |
Command Examples
Basic ping to a remote host
ping 8.8.8.8Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/15 ms
The ASA sends five ICMP echo requests. Each '!' indicates a successful reply. The summary shows 100% success with round-trip times.
Ping with extended parameters
ping 10.1.1.1 repeat 10 timeout 5 size 1500 source 192.168.1.1Type escape sequence to abort. Sending 10, 1500-byte ICMP Echos to 10.1.1.1, timeout is 5 seconds: !!!!!!!!!! Success rate is 100 percent (10/10), round-trip min/avg/max = 20/25/30 ms
Sends 10 large packets (1500 bytes) from source IP 192.168.1.1 with a 5-second timeout. All replies received, indicating good MTU handling.
Understanding the Output
The ping output begins with a warning that you can abort with the escape sequence (Ctrl+^ then X). It then displays the number of packets sent, packet size, destination IP, and timeout value. Each '.' indicates a timeout (no reply), while each '!' indicates a successful reply. The summary line shows the success rate as a percentage and the round-trip time statistics: minimum, average, and maximum in milliseconds. A 100% success rate with low RTT indicates healthy connectivity. Partial success (e.g., 3/5) suggests intermittent issues, and 0% indicates a complete failure. High RTT values may indicate congestion or long path length. If you see 'U' (destination unreachable) or 'Q' (source quench), those indicate specific ICMP error messages.
Configuration Scenarios
Testing connectivity through a VPN tunnel
An ASA is configured with a site-to-site VPN to a remote office. You need to verify that the remote subnet (10.2.0.0/16) is reachable.
Topology
ASA1 (outside) --- Internet --- ASA2 (outside)
ASA1 inside: 192.168.1.0/24
ASA2 inside: 10.2.0.0/16Steps
- 1.Ensure the VPN tunnel is active (show crypto ipsec sa).
- 2.Ping the remote host from the ASA using the inside interface as source.
- 3.Interpret the output.
! On ASA1, the crypto ACL permits traffic from 192.168.1.0/24 to 10.2.0.0/16 access-list VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 10.2.0.0 255.255.0.0
Verify: ping 10.2.0.1 source 192.168.1.1 repeat 3
Watch out: The ping must use a source IP that matches the crypto ACL; otherwise, the packet will not be encrypted and will be dropped.
Troubleshooting with This Command
When troubleshooting connectivity issues on a Cisco ASA, the ping command is your first line of defense. Start by pinging the default gateway of the ASA to verify basic IP stack functionality. If that fails, check interface status and IP configuration. Next, ping a known external host (e.g., 8.8.8.8) to test Internet connectivity. If that fails, examine the default route and NAT rules. If ping succeeds but application traffic fails, consider that ICMP might be permitted while other protocols are blocked. Use extended ping parameters to isolate issues: set the source IP to match a specific interface to test routing asymmetry, use the df-bit to test MTU issues, or increase the packet size to stress the path. When pinging through a VPN, ensure the source IP is within the encryption domain; otherwise, the packet will be sent in clear. If you see 'U' (unreachable) in the output, check ACLs and routing on intermediate devices. If you see '.' (timeout), the destination may be down, or a firewall is dropping ICMP. Remember that the ASA itself may block ICMP if 'icmp deny any' is configured on an interface. Use 'show icmp' to verify ICMP inspection status. For persistent issues, combine ping with traceroute to map the path. The ASA's ping command is stateless; it does not affect the connection table. However, ICMP inspection can create temporary connections for return traffic. If you suspect inspection issues, disable ICMP inspection temporarily with 'no fixup protocol icmp' (though not recommended in production). Always document baseline RTT values for critical paths to quickly identify degradation.
CCNA Exam Tips
Remember that the ASA uses a different ping syntax than IOS; the 'repeat' and 'timeout' keywords are used instead of just numbers.
Know that the ASA can ping through a VPN tunnel only if the traffic is permitted by the crypto ACL and the tunnel is active.
Be aware that ICMP inspection must be enabled for the ASA to properly handle ping replies through an interface.
Common Mistakes
Forgetting to specify the source interface or IP when multiple paths exist, leading to misleading results.
Assuming ping failure means the destination is down; it could be blocked by an ACL or ICMP inspection.
Using too large a packet size without considering MTU, causing fragmentation or drops.
Platform Notes
The Cisco ASA ping command differs from Cisco IOS in several ways. On IOS, ping is interactive and prompts for parameters; on ASA, parameters are specified as keywords on the command line. The ASA does not support the 'extended ping' interactive mode; all options must be entered inline. The ASA also lacks the 'ping ip' option; it only supports IPv4 ping. For IPv6, use 'ping ipv6'. The ASA's ping output is similar to IOS but does not include the 'Type escape sequence' line on some versions. The ASA supports a maximum packet size of 18024 bytes, while IOS supports up to 18024 bytes as well. The 'validate' option is unique to ASA and checks reply data integrity. On ASA, the 'repeat' count can be very high (up to 2^31-1), useful for stress testing. In terms of behavior, the ASA's ICMP inspection is enabled by default, which allows return traffic; on IOS, this is handled by the stateful firewall if configured. For equivalent commands on other platforms: on Juniper SRX, use 'ping <ip> count <n>'; on Palo Alto, use 'ping host <ip>'. The ASA's ping command has remained consistent across versions, but newer models (ASA 5500-X, Firepower) may have slight differences in output formatting. Always refer to the specific version documentation.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions