topic Re: How to ping a subinterface on FTD in Network Security

How to ping a subinterface on FTD

cxu21 — Mon, 27 Jan 2025 23:37:36 GMT

We have a 1140 FTD managed by FMC, on the FTD, there is a paricular subinterface that required to be pingable.

We had the rule configured as below but none of the interface is pingable.

Is there anything we missed?

We do not need to ping all subinterface, only 1 is required to be able to ping

Re: How to ping a subinterface on FTD

MHM Cisco World — Tue, 28 Jan 2025 03:04:24 GMT

From FMC >platform setting >icmp

Allow icmp in interface and specify subnet can ping to this interface

MHM

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 03:49:56 GMT

Thank you for your prompt response.

I assume this is the place you refer to, we already allowed icmp between different zones, but still could not ping.

Re: How to ping a subinterface on FTD

Rob Ingram — Tue, 28 Jan 2025 08:53:12 GMT

@cxu21 the FTD responds to ICMP traffic sent to the interface that traffic comes in on. In other words, if you are connected behind Eth1 you can ping Eth1, but you would not be able to ping through the FTD to ping another of the FTD's interface. That is by design.

Re: How to ping a subinterface on FTD

MHM Cisco World — Tue, 28 Jan 2025 13:11:42 GMT

can I see how you config platform setting ?

MHM

Re: How to ping a subinterface on FTD

Aref Alsouqi — Tue, 28 Jan 2025 13:50:40 GMT

@Rob Ingram made a very good point. If you are trying to ping or reach an interface of the firewall coming from another that will not be allowed by design and no security rule will work around it. This behaviour was the same on Cisco ASA and it is still the same on the FTDs.

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 21:14:53 GMT

@Rob Ingram The connection looks like below, what I try to do is try to ping from the internal network to the sub-interface on the FTD. I can ping all the hosts in the same subnet behind that sub-interface, but just can not ping the sub-interface ip address.

Re: How to ping a subinterface on FTD

Rob Ingram — Tue, 28 Jan 2025 21:27:38 GMT

@cxu21 so you are trying to ping the FTD sub-interface the internal network is connected to? that should work, perhaps routing issues either on the switch or FTD - check the routing tables. Can the FTD ping the internal network? Take a packet capture and confirm the ping is received by the FTD. Can the internal network ping through the FTD to something on the other side of the FTD?

If you aren't ping the sub-interace that leads to the internal network then it won't work.

Re: How to ping a subinterface on FTD

MHM Cisco World — Tue, 28 Jan 2025 21:46:27 GMT

I don't see how you config the icmp in platform.

Also are you using trunk between SW and ftd?

MHM

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 22:02:57 GMT

Yes, the connection between switch and FTD is configured as trunk using port channel for HA purpose. Here is the demo of the configuration.

interface Port-channel11
description To Primary
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk

interface GigabitEthernet1/0/24
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk
auto qos trust dscp
channel-group 11 mode active

Here is the icmp configuration screenshot in platform settings

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 22:15:18 GMT

@Rob Ingram I can ping between any hosts behind different subinterface on the FTD from internal network and can ping the internal network from FTD, just can not ping from internal network to the subinterface ip address.

Re: How to ping a subinterface on FTD

MHM Cisco World — Tue, 28 Jan 2025 22:21:29 GMT

Thanks for sharing more detail

In zone/interface do you see subinterface name or interface name connect to internal? If yes select it.

MHM

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 22:30:17 GMT

I do not see subinterface name in the zone/interface field. I just wonder if I need to configure ARP for that particular subinterface?

Re: How to ping a subinterface on FTD

MHM Cisco World — Tue, 28 Jan 2025 22:40:19 GMT

No need,

Can İ see from device mgmt >interface

MHM

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 22:50:10 GMT

Here is the subinterface configuration. under IPv4, it selects using static with ip address and under Advanced, enable the anti spoofing, the other are default.

Re: How to ping a subinterface on FTD

MHM Cisco World — Tue, 28 Jan 2025 22:54:05 GMT

Vlan Id 1 <<- not allow in trunk?

MHM

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 23:03:33 GMT

It is allowed in the trunk

Re: How to ping a subinterface on FTD

MHM Cisco World — Tue, 28 Jan 2025 23:15:23 GMT

Your share config say opposite

interface Port-channel11
description To Primary
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk

interface GigabitEthernet1/0/24
switchport trunk native vlan 99
switchport trunk allowed vlan 3,4,5,6
switchport mode trunk
auto qos trust dscp
channel-group 11 mode active

Re: How to ping a subinterface on FTD

cxu21 — Tue, 28 Jan 2025 23:19:05 GMT

sorry, that is just a demo, the real configuration allowed vlan 1

Re: How to ping a subinterface on FTD

MHM Cisco World — Wed, 29 Jan 2025 10:01:55 GMT

So SW use vlan 99 or vlan 1 as native ?

If it use vlan1 use any unuse other vlan as native in trunk between SW and FPR.

MHM