Re: Enable Ping interface WAN (Firepower FMC)

FranciscoOpenLink · ‎07-08-2022

Hello, I am trying to ping the WAN interface of a Firepower in a laboratory and it blocks the traffic.

I have another firepower but this one is not added to the FMC and the ping works without problem, I already enabled the ping in the FMC and created a rule that allows everything and it doesn't work.

Rob Ingram · ‎07-08-2022

@FranciscoOpenLink

Ping would be permitted as default to the FTD.

Where did you configure the ping rules? ICMP (ping) is controlled via the Platform Settings not the Access Control Policy (ACP).

Where are you pinging from?

What interface are you connected to?

You'd only be able to ping the WAN interface if you were connected behind that interface, you could not be connected behind another FTD interface (i.e., INSIDE) and ping the WAN interface, that will not work by design.

FranciscoOpenLink · ‎07-08-2022

Hello, I am pinging from another Firepower that I have connected via WAN on the same network segment.

I show you the rules I create

FranciscoOpenLink · ‎07-08-2022

connect a virtual machine to that interface to check and it doesn't work either.

ping otra pc.png

Rob Ingram · ‎07-08-2022

@FranciscoOpenLink what is the configuration of the ICMP service "permitICMP"? if it's incorrect, there is an implicit deny, so the traffic will be dropped.

The ACP policy is not applicable when controlling traffic to the FTD's interface.

FranciscoOpenLink · ‎07-08-2022

I am allowing ICMP in that policy

MHM Cisco World · ‎07-08-2022

some times the PC OS FW drop ICMP, disable FW or allow ping.