https://community.cisco.com/t5/network-security/ping-to-ftd-interface/m-p/3951664#M23906 <P>Hi guys,</P><P>I am having issues pinging my FTD internal interfaces. I can actually ping WAN interface, no issue there. But for LAN interface packet tracer says "no route". I can ping the hosts inside the LAN. There are no specific ICMP rules in Device Platform Policy on FMC. Any suggestions?</P><P>&nbsp;</P><P>10.50.31.97/27 is my LAN interface.</P><P>&nbsp;</P><P>Trace to host inside LAN:</P><P>&nbsp;</P><P>&gt; packet-tracer input WAN icmp 10.11.28.169 0 0 10.50.31.97</P><P>Result:<BR />input-interface: WAN<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (no-route) No route to host</P><P>&nbsp;</P><P>&gt; packet-tracer input WAN icmp 10.11.28.169 0 0 10.50.31.98</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 10.50.31.98 using egress ifc LAN</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />..etc</P><P>&nbsp;</P><P>Trace to WAN interface:</P><P>&gt; packet-tracer input WAN icmp 10.11.28.169 0 0 10.11.39.106</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 10.11.39.106 using egress ifc identity</P><P>..etc</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Nov 2019 10:24:02 GMT Moon1998 2019-11-01T10:24:02Z https://community.cisco.com/t5/network-security/ping-to-ftd-interface/m-p/3951664#M23906 <P>Hi guys,</P><P>I am having issues pinging my FTD internal interfaces. I can actually ping WAN interface, no issue there. But for LAN interface packet tracer says "no route". I can ping the hosts inside the LAN. There are no specific ICMP rules in Device Platform Policy on FMC. Any suggestions?</P><P>&nbsp;</P><P>10.50.31.97/27 is my LAN interface.</P><P>&nbsp;</P><P>Trace to host inside LAN:</P><P>&nbsp;</P><P>&gt; packet-tracer input WAN icmp 10.11.28.169 0 0 10.50.31.97</P><P>Result:<BR />input-interface: WAN<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (no-route) No route to host</P><P>&nbsp;</P><P>&gt; packet-tracer input WAN icmp 10.11.28.169 0 0 10.50.31.98</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 10.50.31.98 using egress ifc LAN</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />..etc</P><P>&nbsp;</P><P>Trace to WAN interface:</P><P>&gt; packet-tracer input WAN icmp 10.11.28.169 0 0 10.11.39.106</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 10.11.39.106 using egress ifc identity</P><P>..etc</P><P>&nbsp;</P><P>Thanks.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 01 Nov 2019 10:24:02 GMT https://community.cisco.com/t5/network-security/ping-to-ftd-interface/m-p/3951664#M23906 Moon1998 2019-11-01T10:24:02Z https://community.cisco.com/t5/network-security/ping-to-ftd-interface/m-p/3951669#M23909 Hi,<BR />That is to be expected. An FTD/ASA only responds to ICMP traffic sent to the interface that traffic comes in on. So you cannot ping from the WAN interface through the firewall to LAN interface, that's by design.<BR /><BR />HTH Fri, 01 Nov 2019 10:40:06 GMT https://community.cisco.com/t5/network-security/ping-to-ftd-interface/m-p/3951669#M23909 Rob Ingram 2019-11-01T10:40:06Z https://community.cisco.com/t5/network-security/ping-to-ftd-interface/m-p/3951672#M23917 <P>Ah, missed that <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Thanks!</P> Fri, 01 Nov 2019 10:45:13 GMT https://community.cisco.com/t5/network-security/ping-to-ftd-interface/m-p/3951672#M23917 Moon1998 2019-11-01T10:45:13Z