Re: Cisco FPR1150 can not ping outside intrface from outside network

faruk.zaimovic · ‎10-22-2024

Hello,

I have installed cisco FPR 1150 managed by FMC. i enabled allow ICMP protocol through Platform Policy, i can not ping my outside interface from outside network. Does anybody have same problem.

Version is 7.2.4

Thnaks.

Flavio Miranda · ‎10-22-2024

@faruk.zaimovic

Take a look on this thread. Look the last message from Cisco guy.

https://community.cisco.com/t5/network-security/ping-from-outside-to-outside-interface-firepower-1150/td-p/4752472

"You can enable ICMP access for your outside interface on FMC(Firepower Management Center) under Devices > Platform Setting > select ICMP Access > Click Add button on ICMP access page and set action permit, set ICMP services, set Network to get access of outside interface and select a Zone of your outside interface. Please find below screenshot for your reference"

faruk.zaimovic · ‎10-22-2024

Thank you very much. I have made it, and I have same problem. I think that there can be problem with NAT. I have 1-1 static NAT for one public address from IP pool to inside behind FPR.

Flavio Miranda · ‎10-22-2024

If you NAT is inside to ouside it should not interfere with the the ping from outside. The traffic should not match on this situation.

But, if possible, remove this 1-1 NAT to make sure.

faruk.zaimovic · ‎10-22-2024

Thank you very much.

im share your opinion, but i dont know what to other try. Tomorrow i will try delete that NAT. there is NAT from public IP address to private Interface in ASA, and users make SSL connection to ASA. I want to migrate SSL remote access from ASA to FPR.

Public IP---FPR---private IP----ASA-Firewall----private IP---CoreSwitch

if there is any other idea please share.

Flavio Miranda · ‎10-22-2024

well, other than the NAT rule you can remove to test, I would recommend you to run some Packet Tracer and take a look on the logs for this failing ping.

If you can share here the result, we can try to help

Aref Alsouqi · ‎10-23-2024

Could you please share the screenshot of the config you applied to the platform setting for review? you might have a deny ICMP rule on top of the ones you added that is causing this. Also, is the 1:1 NAT you are referring to configured with the outside interface public IP or is it a different public IP?

faruk.zaimovic · ‎10-23-2024

Hello,

it is different IP address from other Public IP pool.

Thank you very much for response.

Aref Alsouqi · ‎10-23-2024

Interesting. Could you please log into the FTD via CLI and issue the command "system support diagnostic-cli" and then type "enable" and hit enter without providing any password. This will take you to Lina which is basically the ASA engine. From there type the command "sh run icmp" and share the output for review please.

Also, if you can please run some packet capture still from Lina engine while you are tying to ping the outside interface and share the sanitized output for review:

cap FARUK interface outside match icmp any any

or

cap FARUK interface outside match icmp any host < the outside public IP >

or

cap FARUK interface outside match icmp any host < the outside public IP > echo

I got the feeling that the platform setting was not pushed to the firewall or maybe wasn't associated to it.

faruk.zaimovic · ‎10-24-2024

Hello,

Thank you very much for help and response.

yesterday I solved problem. As i have doubt, problem was with NAT, I can not understand why. I have auto dynamic nat from inside to outside, when I delete that auto NAT rule, i managed to ping my outside interface, again I add manually NAT for some network from inside to outside. I have NAT and can ping interface.

Aref, I did it , I couldn't see ICMP traffic.

MHM Cisco World · ‎10-31-2024

sorry but that not make sense,

the traffic to FTD not bypass FTD so it can effect by NAT

MHM