Cisco ASA Using PING TCP

Cisco ASA Using PING TCP

Problem

On a Cisco ASA you can specify which interface to launch a ‘ping’ from, but that’s it. However sometimes in troubleshooting you may find yourself with access to all remote assets to triangulate issues full or to properly initiate ‘interesting traffic.

We can use TCP PING in an interactive manner with a variety of parameters.

Note: You need ASA version 8.4(1) or above to use ‘tcp ping’.

Solution

What's TCP Ping? Well it uses TCP and sends SYN packets to the other end, and waits for the ACK packets to come back, thus testing communication.

Warning: You need to know what ports are open on the other side, the default is port 80 so if there's no web server running on the other end, it wont reply. So TCP port 445 would be good for a windows machine, or TCP 3389 (RDP) if it’s a server with RDP enabled! Or TCP 22 if it’s Linux box with SSH enabled.

How does this help me bring up a VPN tunnel? Well it sends TCP SYN traffic from and to the IP addresses you should have in your VPN cryptomap, so the tunnel will try and establish, (assuming you configured both ends correctly!)

Here I’m using TCP53 (DNS,) as I know the server is a Windows DNS Server.

ASA# ping tcp
Interface: inside
Target IP address: 172.16.1.10
Destination port: [80] 53
Specify source? [n]: y
Source IP address: 192.168.200.10
Source port: [0] 1024
Repeat count: [5] {Enter}
Timeout in seconds: [2]{Enter}
Type escape sequence to abort.
Sending 5 TCP SYN requests to google port 53
from 192.168.200.10 starting port 1024, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms

VPN is now up.