Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2809
Views
10
Helpful
6
Replies

FirePower1010 routing problems

Go to solution
ratemaki
Level 1
Level 1

‎09-11-2020 02:33 AM

Hi,

I've the FirePower1010 versions 6.5.0.2.

There are several interfaces:

- Ethernet 1/2 with address 192.168.24.245 and is belong by inside_zone

- Ethernet 1/4 with address 192.168.23.245 and is belong by video_zone

 

But I cann't ping 192.168.23.245 from PC with ip 192.168.24.124. The ip 192.168.24.245 is default gateway on PC.

Whireshark from PC shows messege "No response found!" when I try to ping 192.168.23.245.

 

Tracer from FP1010 shows "Drop-reason: (no-route)":

trace.JPG

There is routing table FP1010:

route.JPG

In policies is rule allow traffic from inside_zone to video_zone.

Can anyone help me? please.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-11-2020 02:41 AM - edited ‎09-11-2020 02:58 AM

Hi,

That is to be expected and won't work by design. The FTD will only respond to ICMP traffic sent to the interface that traffic comes in on, you cannot send ICMP traffic through an interface to a far interface.

 

Ping "through" the FTD to another devices, such as a PC, you will of course need firewall rules to permit this.

 

HTH

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎09-11-2020 02:41 AM - edited ‎09-11-2020 02:58 AM

Hi,

That is to be expected and won't work by design. The FTD will only respond to ICMP traffic sent to the interface that traffic comes in on, you cannot send ICMP traffic through an interface to a far interface.

 

Ping "through" the FTD to another devices, such as a PC, you will of course need firewall rules to permit this.

 

HTH

Go to solution
ratemaki
Level 1
Level 1
In response to Rob Ingram

‎09-11-2020 03:18 AM

Thanks for answer!

 

But when I try to ping through the FTD to another devices it's no work too... 

Wireshark shows the same message "No response found!", 

trace shows:

trace1.JPG

For clear: it shows output-interface: inside_3 (it's Ethernet1/3) because I ping host in 172.1.0.0/24 network and ip address Ethernet1/3 is 172.1.0.1. It's different that I posted in the first message because there are not yet hosts in 192.168.23.0/24.

There is rule permit traffic also.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎09-11-2020 03:25 AM

Is there a firewall enabled on the remote device you are trying to ping?

Do you have NAT configured?

What is the full output of that packet-tracer, please provide the output.

0 Helpful

Go to solution
ratemaki
Level 1
Level 1
In response to Rob Ingram

‎09-11-2020 04:16 AM

Problem is solved!

 

The reason is an incorrect network configuration of the host (in the network 172.1.0.0/24) and, as a result, traffic asymmetry.

 

@Rob Ingram Thank you for help!

0 Helpful

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎09-11-2020 06:19 AM

@ratemaki 

 

Check for asymmetric routing, it is when the flow of packets in one direction passes through a different interface than that used for the return path. 

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Go to solution
ratemaki
Level 1
Level 1
In response to Ruben Cocheno

‎09-11-2020 07:08 AM

I created a nat for traffic from the 192.168.24.0 / 24 network to the 172.1.0.0 / 24 network as a temporary solution.

I'll chek again after reconfiguration the host.

 

You can also create a bypass rule if you have asymmetric routing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card