I am unable to get ping replies from my FTD outside interface when pinging from the Internet. I can ping out, through the FTD to Internet address from internal clients. Basically, if I do an nmap scan from outside - I see no open ports on my FTD. I've configured Remote VPN as well, but 443 isn't open either. If I do a capture - it says icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule. Would that refer to the default_access_control_policy? Not sure what I am doing wrong.....or not sure how to make a rule that allows traffic TO the FTD, not through it. Thanks.
Solved! Go to Solution.
Further craziness - this FTD is part of a HA pair. I CAN ping the 2ndary external IP - but not the primary. If I take the primary unit offline (to force a failover - I still cannot ping the primary external IP - even though the device that now hosts it WAS replying to pings on the IP it just had (secondary). I also see 443 open on the 2ndary external IP (when both units are alive).....although it returns a "file not found" when I attempt to browse to it.
This is driving me nuts.....
So, I ran packet-tracer with the detailed flag to see what was happening.
Basically, all phases pass -the packet gets through the ACLs, Snort, etc.
The final result is:
Drop-reason: (inspect-icmp-bad-code) ICMP Inspect bad icmp code
Any idea how to fix that?
I had the same issue. Let me tell you our senerio. We have 1 FTD connected with two internet links (outside, outside1), As we have configured PBR with sequence number 10,20 for redundancy and also configured track on both interfaces. By default any public ip was able to ping outside and outside one when nothing was configured in ICMP rule.
Problem: when I was allowing icmp for specific outside internet ip address to ping my outside, outside 1 interfaces, it was affecting my PBR, tracking and default route and because of that internet was not working.
Solution: we have to go to Device>platform>icmp and add the rule on top for global DNS ip 220.127.116.11 and 18.104.22.168 and allow on both outside interfaces and below of them we can create for specific outide public ip to ping over outside,outside1 interfaces. Global DNS rule is the mandatory field. Then after it has started working effecting anything.
Solution for PBR fail over: if you are using FTD ver 6.3.0 and PBR failure is not working after the correct configuration then u can consider as Bug CSCvn0307, and this bug will get fixed by ver 22.214.171.124
Thanks you so much