Did you know that the latest code for Cisco ASA firewall (8.4) now supports TCP ping? I have earlier complained about the fact that you cannot telnet out from an ASA cli. You still can´t, but at least you can use the tcp ping feature to see if a specific tcp port is reachable. That´s awesome!
asa-firewall# ping tcp nat0.net 80
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 94.247.168.200 port 80
from 213.66.135.232, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/14 ms
asa-firewall#
For each exclamation mark above there are 3 packets generated:
- SYN-packet from the ASA to the destination host.
- SYN-ACK-packet from the destination host back to the ASA.
- RST-packet from the ASA to the destination host.
The ‘ping tcp’-command is a great way to generate outbound tcp-traffic to verify reachability to a foreign host!
Leave a Reply