https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3750164#M1013083 <P>Hi,<BR />You can enable disable inspection policy from cli.<BR /><EM><STRONG>&gt; configure inspection icmp disable</STRONG></EM></P> <P>&nbsp;You can also create flex config to disable inspections. Create flex config as below and bind to FTD</P> <P><EM><STRONG>policy-map global_policy</STRONG></EM><BR /><EM><STRONG>&nbsp;class inspection_default</STRONG></EM><BR /><EM><STRONG>&nbsp; no inspect icmp</STRONG></EM></P> <P>&nbsp;</P> <P><SPAN>HTH</SPAN></P> <P><SPAN>Abheesh</SPAN></P> Tue, 20 Nov 2018 17:09:06 GMT Abheesh Kumar 2018-11-20T17:09:06Z https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3749908#M1013082 <P><SPAN>i have fmc with&nbsp;</SPAN><SPAN>Cisco Firepower 2110 ftd , i can browse the internet from inside fine but i cannot ping any outside ip address , i think it is denied in the inspection policy but i cant seem to find it in the fmc? where is the inspection policy in fmc?</SPAN></P> Fri, 21 Feb 2020 16:29:20 GMT https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3749908#M1013082 baselzind 2020-02-21T16:29:20Z https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3750164#M1013083 <P>Hi,<BR />You can enable disable inspection policy from cli.<BR /><EM><STRONG>&gt; configure inspection icmp disable</STRONG></EM></P> <P>&nbsp;You can also create flex config to disable inspections. Create flex config as below and bind to FTD</P> <P><EM><STRONG>policy-map global_policy</STRONG></EM><BR /><EM><STRONG>&nbsp;class inspection_default</STRONG></EM><BR /><EM><STRONG>&nbsp; no inspect icmp</STRONG></EM></P> <P>&nbsp;</P> <P><SPAN>HTH</SPAN></P> <P><SPAN>Abheesh</SPAN></P> Tue, 20 Nov 2018 17:09:06 GMT https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3750164#M1013083 Abheesh Kumar 2018-11-20T17:09:06Z https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3752632#M1013084 is "&gt; configure inspection icmp disable" done on ftd or fmc , and if on fmc how do i do it as it isnt accepting it , i think there is pre-commands to be able to insert it as im getting the input in this form "admin@firepower:~$"? Mon, 26 Nov 2018 10:02:06 GMT https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3752632#M1013084 baselzind 2018-11-26T10:02:06Z https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3752657#M1013085 <P>You need to do it on FTD not FMC.</P> <P>You can also create a rule in ACP to allow ping.</P> <P>&nbsp;</P> <P>HTH</P> <P>Abheesh</P> Mon, 26 Nov 2018 10:37:17 GMT https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3752657#M1013085 Abheesh Kumar 2018-11-26T10:37:17Z https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3752670#M1013086 <P>You need to "inspect icmp" for ping to work.</P> <P>&nbsp;</P> <P>Otherwise the FTD doesn't keep track of the icmp flows and thus when the icmp echo reply&nbsp;is received&nbsp;it is not recognized as part of an existing flow and is dropped.</P> <P>&nbsp;</P> <P>Note if you want traceroute to work, even more configuration is required. Paul Stewart explains how here:</P> <P>&nbsp;</P> <P><A href="https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/" target="_blank">https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/</A></P> Mon, 26 Nov 2018 11:19:49 GMT https://community.cisco.com/t5/network-security/how-to-edit-fmc-inspection-policy-for-ping/m-p/3752670#M1013086 Marvin Rhoads 2018-11-26T11:19:49Z