Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1916
Views
0
Helpful
4
Replies

FTD Internal traffic drop

Support ACME
Level 1
Level 1

‎06-06-2019 08:44 AM - edited ‎02-21-2020 09:11 AM

Dear ALL,

 

We just purchased the ASA5508-FTD-X for the internal firewall, all internal device's default gateway is point to ASA 5508, and have 3 vlan, vlan166(Server subnet) ,vlan177(VIP member subnet) & vlan 188(Staff subnet).

 

We have two guestOS in my vmware platform, one is Windows 2016(IP:192.168.166.2) and one is Win10(192.168.188.2), and enabled "Promiscuous Mode" on the vSwitch, the two guest OS can access the internet, but can't ping the both side.

any one can help?

 

 

FMC version:6.4

FTD software: 6.4.0.1

 

 

NGFW Version 6.4.0
!
hostname firepower
enable password ***** encrypted
strong-encryption-disable
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif WAN
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address x.x.x.x 255.255.255.224 standby x.x.x.x
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.166
vlan 166
nameif vlan166
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.166.1 255.255.255.0 standby 192.168.166.254
!
interface GigabitEthernet1/2.177
vlan 177
nameif vlan177
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.177.1 255.255.255.0 standby 192.168.177.254
!
interface GigabitEthernet1/2.188
vlan 188
nameif vlan188
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.188.1 255.255.255.0 standby 192.168.188.254
!
interface GigabitEthernet1/3
shutdown
no nameif
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
description LAN Failover Interface
!
interface GigabitEthernet1/8
description STATE Failover Interface
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
boot system disk0:/os.img
ftp mode passive
ngips conn-match vlan-id
object network VLAN177
subnet 192.168.177.0 255.255.255.0
object network VLAN188
subnet 192.168.188.0 255.255.255.0
object network x.x.x.x
host x.x.x.x
object network VLAN166
subnet 192.168.166.0 255.255.255.0
object-group network FMC_INLINE_src_rule_268435457
description Auto Generated by FMC from src of UnifiedNGFWRule# 2 (SPK/mandatory)
network-object object VLAN177
network-object object VLAN188
network-object object VLAN166
object-group network FMC_INLINE_dst_rule_268435457
description Auto Generated by FMC from dst of UnifiedNGFWRule# 2 (SPK/mandatory)
network-object object VLAN177
network-object object VLAN188
network-object object VLAN166
object-group network FMC_INLINE_src_rule_268435456
description Auto Generated by FMC from src of UnifiedNGFWRule# 3 (SPK/mandatory)
network-object object VLAN177
network-object object VLAN188
network-object object VLAN166
object-group network FMC_INLINE_src_rule_268435459
description Auto Generated by FMC from src of UnifiedNGFWRule# 1 (SPK/mandatory)
network-object object VLAN166
network-object object VLAN188
object-group network FMC_INLINE_dst_rule_268435459
description Auto Generated by FMC from dst of UnifiedNGFWRule# 1 (SPK/mandatory)
network-object object VLAN166
network-object object VLAN188
access-list CSM_FW_ACL_ remark rule-id 268435458: PREFILTER POLICY: HA
access-list CSM_FW_ACL_ remark rule-id 268435458: RULE: DEFAULT TUNNEL ACTION RULE
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 268435458
access-list CSM_FW_ACL_ advanced permit 41 any any rule-id 268435458
access-list CSM_FW_ACL_ advanced permit gre any any rule-id 268435458
access-list CSM_FW_ACL_ advanced permit udp any eq 3544 any range 1025 65535 rule-id 268435458
access-list CSM_FW_ACL_ advanced permit udp any range 1025 65535 any eq 3544 rule-id 268435458
access-list CSM_FW_ACL_ remark rule-id 268435459: ACCESS POLICY: SPK - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435459: L7 RULE: allow internal
access-list CSM_FW_ACL_ advanced permit ip ifc vlan188 object-group FMC_INLINE_src_rule_268435459 ifc vlan166 object-group FMC_INLINE_dst_rule_268435459 rule-id 268435459
access-list CSM_FW_ACL_ advanced permit ip ifc vlan188 object-group FMC_INLINE_src_rule_268435459 ifc vlan188 object-group FMC_INLINE_dst_rule_268435459 rule-id 268435459
access-list CSM_FW_ACL_ advanced permit ip ifc vlan166 object-group FMC_INLINE_src_rule_268435459 ifc vlan166 object-group FMC_INLINE_dst_rule_268435459 rule-id 268435459
access-list CSM_FW_ACL_ advanced permit ip ifc vlan166 object-group FMC_INLINE_src_rule_268435459 ifc vlan188 object-group FMC_INLINE_dst_rule_268435459 rule-id 268435459
access-list CSM_FW_ACL_ remark rule-id 268435457: ACCESS POLICY: SPK - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435457: L7 RULE: AllowInternalTraffic
access-list CSM_FW_ACL_ advanced permit ip ifc vlan166 object-group FMC_INLINE_src_rule_268435457 ifc vlan166 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan166 object-group FMC_INLINE_src_rule_268435457 ifc vlan177 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan166 object-group FMC_INLINE_src_rule_268435457 ifc vlan188 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan177 object-group FMC_INLINE_src_rule_268435457 ifc vlan166 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan177 object-group FMC_INLINE_src_rule_268435457 ifc vlan177 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan177 object-group FMC_INLINE_src_rule_268435457 ifc vlan188 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan188 object-group FMC_INLINE_src_rule_268435457 ifc vlan166 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan188 object-group FMC_INLINE_src_rule_268435457 ifc vlan177 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ advanced permit ip ifc vlan188 object-group FMC_INLINE_src_rule_268435457 ifc vlan188 object-group FMC_INLINE_dst_rule_268435457 rule-id 268435457
access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: SPK - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: NAT
access-list CSM_FW_ACL_ advanced permit ip object-group FMC_INLINE_src_rule_268435456 any4 rule-id 268435456
access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: SPK - Default
access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434432 event-log both
!
tcp-map UM_STATIC_TCP_MAP
tcp-options range 6 7 allow
tcp-options range 9 18 allow
tcp-options range 20 255 allow
urgent-flag allow
!
no pager
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu WAN 1500
mtu vlan177 1500
mtu vlan188 1500
mtu vlan166 1500
mtu diagnostic 1500
failover
failover lan unit primary
failover lan interface HALink GigabitEthernet1/7
failover replication http
failover link StateLink GigabitEthernet1/8
failover interface ip HALink 192.0.2.1 255.255.255.252 standby 192.0.2.2
failover interface ip StateLink 192.0.2.5 255.255.255.252 standby 192.0.2.6
monitor-interface vlan177
monitor-interface vlan188
monitor-interface vlan166
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network VLAN177
nat (any,any) dynamic x.x.x.x
object network VLAN188
nat (any,any) dynamic x.x.x.x
object network VLAN166
nat (any,any) dynamic x.x.x.x
access-group CSM_FW_ACL_ global
route WAN 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:00:30
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa proxy-limit disable
aaa authentication login-history
no snmp-server location
no snmp-server contact
no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect ip-options UM_STATIC_IP_OPTIONS_MAP
parameters
eool action allow
nop action allow
router-alert action allow
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ip-options UM_STATIC_IP_OPTIONS_MAP
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
!
service-policy global_policy global
prompt hostname context
snort preserve-connection
Cryptochecksum:4c501cee60bb9a37397e15af6c2aa99f
: end

0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎06-06-2019 09:10 AM

could be the windows firewall is enable. disable them and than ping.

please do not forget to rate.
0 Helpful

Support ACME
Level 1
Level 1
In response to Sheraz.Salim

‎06-06-2019 11:19 AM - edited ‎06-06-2019 11:20 AM

i have disabled the windows firewall, below is the result from FTD cli to windows 10 and windows 2016.

> ping 192.168.166.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.166.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> ping 192.168.166.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.166.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

> ping 192.168.188.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.188.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
>

 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Support ACME

‎06-06-2019 12:27 PM

so your issue resolved?

please do not forget to rate.
0 Helpful

Support ACME
Level 1
Level 1
In response to Sheraz.Salim

‎06-06-2019 01:51 PM

Not Yet, i still unable to ping the two guest OS in both side, the above result just show you the windows firewall is disabled already.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card