10-10-2018 11:08 AM - edited 02-21-2020 08:20 AM
I am unable to get ping replies from my FTD outside interface when pinging from the Internet. I can ping out, through the FTD to Internet address from internal clients. Basically, if I do an nmap scan from outside - I see no open ports on my FTD. I've configured Remote VPN as well, but 443 isn't open either. If I do a capture - it says icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule. Would that refer to the default_access_control_policy? Not sure what I am doing wrong.....or not sure how to make a rule that allows traffic TO the FTD, not through it. Thanks.
Solved! Go to Solution.
10-12-2018 11:58 AM
10-10-2018 11:55 AM - edited 10-10-2018 11:57 AM
Further craziness - this FTD is part of a HA pair. I CAN ping the 2ndary external IP - but not the primary. If I take the primary unit offline (to force a failover - I still cannot ping the primary external IP - even though the device that now hosts it WAS replying to pings on the IP it just had (secondary). I also see 443 open on the 2ndary external IP (when both units are alive).....although it returns a "file not found" when I attempt to browse to it.
This is driving me nuts.....
10-11-2018 06:24 AM
Me again.
So, I ran packet-tracer with the detailed flag to see what was happening.
Basically, all phases pass -the packet gets through the ACLs, Snort, etc.
The final result is:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-icmp-bad-code) ICMP Inspect bad icmp code
Any idea how to fix that?
10-12-2018 11:58 AM
Solution: make sure you do your NAT statements correctly.
oops....
02-28-2019 08:32 PM
Hi guys,
I had the same issue. Let me tell you our senerio. We have 1 FTD connected with two internet links (outside, outside1), As we have configured PBR with sequence number 10,20 for redundancy and also configured track on both interfaces. By default any public ip was able to ping outside and outside one when nothing was configured in ICMP rule.
Problem: when I was allowing icmp for specific outside internet ip address to ping my outside, outside 1 interfaces, it was affecting my PBR, tracking and default route and because of that internet was not working.
Solution: we have to go to Device>platform>icmp and add the rule on top for global DNS ip 8.8.4.4 and 8.8.8.8 and allow on both outside interfaces and below of them we can create for specific outide public ip to ping over outside,outside1 interfaces. Global DNS rule is the mandatory field. Then after it has started working effecting anything.
Solution for PBR fail over: if you are using FTD ver 6.3.0 and PBR failure is not working after the correct configuration then u can consider as Bug CSCvn0307, and this bug will get fixed by ver 6.3.0.1
Thanks you so much
Indu Bhushan
05-02-2024 05:09 AM
Hello! I noticed that I can ping an external address on our FTD. I would like to turn this off... I have looked at the access control policy and the Device > Platform > ICMP settings, and I do not see any indication that this is allowed. Does anyone know where else I could look to turn this off?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide