Cisco ASA Utility PING TCP

Problem

On a Cisco ASA you can specify which interface to launch a ‘ping’ from, but that’s it. However
sometimes in troubleshooting you may find yourself with access to all remote assets to triangulate
issues full or to properly initiate ‘interesting traffic.

We can use TCP PING in an interactive manner with a variety of parameters.
Note: You need ASA version 8.4(1) or above to use ‘tcp ping’.

Solution

Whats TCP Ping? Well it uses TCP and sends SYN packets to the other end, and waits for the ACK
packets to come back, thus testing communication.

Warning: You need to know what ports are open on the other side, the default is port 80 so if theres
no web server running on the other end, it wont reply. So TCP port 445 would be good for a windows
machine, or TCP 3389 (RDP) if it’s a server with RDP enabled! Or TCP 22 if it’s Linux box with SSH
enabled.

How does this help me bring up a VPN tunnel? Well it sends TCP SYN traffic from and to the IP
addresses you should have in your VPN cryptomap, so the tunnel will try and establish, (assuming
you configured both ends correctly!)

Here I’m using TCP53 (DNS,) as I know the server is a Windows DNS Server.

ASA# ping tcp
Interface: inside
Target IP address: 172.16.1.10
Destination port: [80] 53
Specify source? [n]: y
Source IP address: 192.168.200.10
Source port: [0] 1024
Repeat count: [5] {Enter}
Timeout in seconds: [2]{Enter}
Type escape sequence to abort.
Sending 5 TCP SYN requests to google port 53
from 192.168.200.10 starting port 1024, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms

VPN is now up.