topic ICMP thru Cisco Firepower - Inside to Outside devices in Network Security

ICMP thru Cisco Firepower - Inside to Outside devices

DSterling — Wed, 12 Feb 2025 19:13:13 GMT

I want to be able to ping from switch 1 thru the inside interface to switch 2 connected to the outside interface and vice versa.

This is a very basic initial setup to check connectivity thru the FW (Firepower 2130). The switches ( Cisco 3750s) are configured with just an IP on the g0/1 interface on SW1 and SW2.

I can ping from the inside FW interface ( 192.168.28.8) to SW1 (192.168.28.2) and from SW1 to the Inside interface.

I can ping from the outside FW interface (192.168.38.8) to SW2 (192.168.38.8) and from SW2 to the outside interface.

I can't ping thru the FW from the inside to SW2 or from the outside to SW1.

FYI: I have static routing setup on the switches see below

SW1: config)# ip route 192.168.38.0 255.255.255.0 192.168.28.8

SW2: config)# ip route 192.168.28.0 255.255.255.0 192.168.38.8

No NAT, it's a very basic setup.

It seems that I should be able to create a policy rule like this (see below) that would allow everything: I applied the below service policy rule:

Source Networks Ports Destination Networks Ports/Protocols
inside any any outside any any
outside inside

No other policy rules are set up.

I still can't ping thru the FW.

I want to be able to icmp/ping from SW1 (192.168.28.2) to SW2 (192.168.38.3) and SW2 to SW1?

It seems like such a simple thing to do, but I haven't been able to get it to work. Does anyone have any ideas?

Thank you,

Dave

Re: ICMP thru Cisco Firepower - Inside to Outside devices

Rob Ingram — Wed, 12 Feb 2025 18:56:05 GMT

@DSterling

@DSterling wrote:

SW1: config)# ip route 192.168.38.0 255.255.255.0 192.168.28.8

SW2: config)# ip route 192.168.38.0 255.255.255.0 192.168.38.8

The static route on SW2 is incorrect, it should be 192.168.28.0 not 38?

SW2: config)# ip route 192.168.28.0 255.255.255.0 192.168.38.8

Re: ICMP thru Cisco Firepower - Inside to Outside devices

DSterling — Wed, 12 Feb 2025 20:05:14 GMT

Rob,

I made a mistake in the question, it is ip route 192.168.28.0 255.255.255.0 192.168.38.8. Thank you for the correction I'll edit the question.

v/r

Dave

Re: ICMP thru Cisco Firepower - Inside to Outside devices

Aref Alsouqi — Thu, 13 Feb 2025 10:26:40 GMT

Please initiate ping from one side to another and do packet capture on both firewall interfaces and paste the capture for review.

Re: ICMP thru Cisco Firepower - Inside to Outside devices

MHM Cisco World — Thu, 13 Feb 2025 10:43:36 GMT

It not FTD issue'

It issue of SW

Config each SW with ""default gateway"" point to interface of ftd.

That it

MHM

Re: ICMP thru Cisco Firepower - Inside to Outside devices

DSterling — Thu, 13 Feb 2025 13:41:46 GMT

Ok, I deleted the policy rule and created another one with allow an IP any any all the way across and now I can ping from switch to switch.

Re: ICMP thru Cisco Firepower - Inside to Outside devices

Aref Alsouqi — Thu, 13 Feb 2025 14:25:56 GMT

Glad to know that all is working as expected now. Out of interest, did you just create the rule in the same exact way? or was the one you removed different from the one you recreated?