topic Re: Traceroute through FTD in Network Security

Traceroute through FTD

Colin Higgins — Fri, 21 Feb 2020 16:44:02 GMT

I am trying to get traceroute to work from my internal network to the Internet through a FTD2110 managed by FMC running 6.2.3 code

I created an access policy allowing ICMP type 3 and 11 from the outside to the inside. I added ICMP permit statements in the Platform Settings for the device (3 and 11 on the outside interface to any-ipv4).

I also added the Flex config statement to decrement the TTL

But this still isn't working. Is this a bug? Unsupported?

Re: Traceroute through FTD

Sheraz.Salim — Thu, 31 Jan 2019 15:25:27 GMT

check link

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html#id_71096

Re: Traceroute through FTD

Colin Higgins — Thu, 31 Jan 2019 16:00:12 GMT

Unfortunately, that isn't working either

the GUI doesn't interpret the rule correctly--when you try to add OSPF(89) as a port, it simply defaults to "any"

But that isn't the underlying problem. The issue I am having is that the FTD won't pass the traceroute traffic period--it is dropping the ICMP on the outside interface. I don't even get to the TTL issue

(wishing we were still using the ASA ...)

Re: Traceroute through FTD

Marvin Rhoads — Thu, 31 Jan 2019 16:50:27 GMT

Have you seen the instructions at packetu.com? Paul Stewart does a nice job of walking through the necessary configuration there:

https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/

I have it working like that on several FTD deployments.

Re: Traceroute through FTD

Colin Higgins — Thu, 31 Jan 2019 17:17:14 GMT

yes I did, and verified the configuration in CLI. Everything looks correct.

Re: Traceroute through FTD

Marvin Rhoads — Fri, 01 Feb 2019 17:29:01 GMT

Here's what the relevant bits in an FTD running-config should look like:

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>
!
policy-map global_policy
<snip>
  inspect icmp 
  inspect icmp error 
 class class-default
 <snip>
 set connection decrement-ttl

Can you confirm you have those?

If so, have you tried a packet-tracer diagnostic and what does it show?

Re: Traceroute through FTD

Colin Higgins — Mon, 18 Feb 2019 16:08:27 GMT

i turns out that there was another rule in the access policy that was higher up and causing the problem.

Re: Traceroute through FTD

gcube — Mon, 25 Nov 2019 16:22:57 GMT

Is this supported on FTD 6.5 FDM to enable the FW as a hop on the traceroute?

thanks.

Re: Traceroute through FTD

Marvin Rhoads — Tue, 26 Nov 2019 03:20:52 GMT

Yes. I just confirmed it in my lab.

FDM Decrement TTL

Re: Traceroute through FTD

CiscoBrownBelt — Tue, 18 Jul 2023 19:20:23 GMT

I noticed you can set a ICMP policy for FTD via FMC under Platform settings. Anyways, I tried creating a policy to deny ICMP any in there for Outside interface but it did not work. Is just creating a flex config the best way to deny ICMP on let's say Outside interface?

Re: Traceroute through FTD

Rob Ingram — Tue, 18 Jul 2023 19:37:29 GMT

@CiscoBrownBelt you'd only use flexconfig if configuring a control plane ACL. ICMP "to* to FTD is controlled separately via platform settings. Controlling traffic "through" the FTD is via the ACP rules.

Re: Traceroute through FTD

CiscoBrownBelt — Wed, 19 Jul 2023 12:12:22 GMT

Great thanks again. Thats what I initially tried but it never applied given an error - had to just choose IPv4 networks as source.

Re: Traceroute through FTD

CiscoBrownBelt — Wed, 19 Jul 2023 18:25:11 GMT

If I want to still be able to ping out the interface, you need to still do an allow because an implicit deny is applied to these platform policies correct? If I block code 0 (even tried 8), then add a permit any icmp after it, it does not disable ping replies but does allow pings out.

Re: Traceroute through FTD

Rob Ingram — Wed, 19 Jul 2023 18:32:16 GMT

@CiscoBrownBelt If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types, you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/platform_settings_for_firepower_threat_defense.html?bookSearch=true#task_42BBA666CD604517ADA18B32CA162F62

Re: Traceroute through FTD

CiscoBrownBelt — Wed, 19 Jul 2023 19:07:28 GMT

Nevermind looks like in running config the permit any is being processed first as opposed to how I see it in the FMC GUI

Re: Traceroute through FTD

sherali mamatkarimov — Fri, 31 May 2024 11:26:42 GMT

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>

How did you enabled this in FDM can't find?

Re: Traceroute through FTD

Marvin Rhoads — Fri, 31 May 2024 15:56:24 GMT

This can be done in FDM using a Flexconfig object and policy:

Re: Traceroute through FTD

sherali mamatkarimov — Wed, 08 Oct 2025 11:22:45 GMT

That error in FMC

Re: Traceroute through FTD

Marvin Rhoads — Wed, 08 Oct 2025 13:46:21 GMT

@sherali mamatkarimov FMC has included the feature to decrement TTL in the GUI natively since several releases ago. (My post mentioning using flexconfig for FMC was from 2019.) See Advanced Settings for your Access Control Policy and look under Threat Defense Service Policy. You add the ICMP rate limit and burst size settings in the platform policy.