cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


923
Views
0
Helpful
4
Replies
Highlighted
Beginner

FTD access to external interface

I am unable to get ping replies from my FTD outside interface when pinging from the Internet.  I can ping out, through the FTD to Internet address from internal clients.  Basically, if I do an nmap scan from outside - I see no open ports on my FTD.  I've configured Remote VPN as well, but 443 isn't open either.  If I do a capture - it says icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule.  Would that refer to the default_access_control_policy?  Not sure what I am doing wrong.....or not sure how to make a rule that allows traffic TO the FTD, not through it.  Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: FTD access to external interface

Solution:  make sure you do your NAT statements correctly.

 

oops....

4 REPLIES 4
Beginner

Re: FTD access to external interface

Further craziness - this FTD is part of a HA pair.   I CAN ping the 2ndary external IP - but not the primary.   If I take the primary unit offline (to force a failover - I still cannot ping the primary external IP - even though the device that now hosts it WAS replying to pings on the IP it just had (secondary).  I also see 443 open on the 2ndary external IP (when both units are alive).....although it returns a "file not found" when I attempt to browse to it.

 

This is driving me nuts.....

Beginner

Re: FTD access to external interface

Me again.

 

So, I ran packet-tracer with the detailed flag to see what was happening.  

 

Basically, all phases pass -the packet gets through the ACLs, Snort, etc.  

 

The final result is:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-icmp-bad-code) ICMP Inspect bad icmp code

 

 

Any idea how to fix that?

 

 

Beginner

Re: FTD access to external interface

Solution:  make sure you do your NAT statements correctly.

 

oops....

Beginner

Re: FTD access to external interface

Hi guys,

I had the same issue. Let me tell you our senerio. We have 1 FTD connected with two internet links (outside, outside1), As we have configured PBR with sequence number 10,20 for redundancy and also configured track on both interfaces. By default any public ip was able to ping outside and outside one when nothing was configured in ICMP rule.

 

Problem: when I was allowing icmp for specific outside internet ip address to ping my outside, outside 1 interfaces, it was affecting my PBR, tracking and default route and because of that internet was not working.

 

Solution: we have to go to Device>platform>icmp and add the rule on top for global DNS ip 8.8.4.4 and 8.8.8.8 and allow on both outside interfaces and below of them we can create for specific outide public ip to ping over outside,outside1 interfaces. Global DNS rule is the mandatory field. Then after it has started working effecting anything.

 

Solution for PBR fail over: if you are using FTD ver 6.3.0 and PBR failure is not working after the correct configuration then u can consider as Bug CSCvn0307, and this bug will get fixed by ver 6.3.0.1

 

Thanks you so much

 

Indu Bhushan