cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10922
Views
0
Helpful
5
Replies

FTD access to external interface

Eric Shartle
Level 1
Level 1

I am unable to get ping replies from my FTD outside interface when pinging from the Internet.  I can ping out, through the FTD to Internet address from internal clients.  Basically, if I do an nmap scan from outside - I see no open ports on my FTD.  I've configured Remote VPN as well, but 443 isn't open either.  If I do a capture - it says icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule.  Would that refer to the default_access_control_policy?  Not sure what I am doing wrong.....or not sure how to make a rule that allows traffic TO the FTD, not through it.  Thanks.

1 Accepted Solution

Accepted Solutions

Solution:  make sure you do your NAT statements correctly.

 

oops....

View solution in original post

5 Replies 5

Eric Shartle
Level 1
Level 1

Further craziness - this FTD is part of a HA pair.   I CAN ping the 2ndary external IP - but not the primary.   If I take the primary unit offline (to force a failover - I still cannot ping the primary external IP - even though the device that now hosts it WAS replying to pings on the IP it just had (secondary).  I also see 443 open on the 2ndary external IP (when both units are alive).....although it returns a "file not found" when I attempt to browse to it.

 

This is driving me nuts.....

Me again.

 

So, I ran packet-tracer with the detailed flag to see what was happening.  

 

Basically, all phases pass -the packet gets through the ACLs, Snort, etc.  

 

The final result is:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-icmp-bad-code) ICMP Inspect bad icmp code

 

 

Any idea how to fix that?

 

 

Solution:  make sure you do your NAT statements correctly.

 

oops....

Indu Bhushan
Level 1
Level 1

Hi guys,

I had the same issue. Let me tell you our senerio. We have 1 FTD connected with two internet links (outside, outside1), As we have configured PBR with sequence number 10,20 for redundancy and also configured track on both interfaces. By default any public ip was able to ping outside and outside one when nothing was configured in ICMP rule.

 

Problem: when I was allowing icmp for specific outside internet ip address to ping my outside, outside 1 interfaces, it was affecting my PBR, tracking and default route and because of that internet was not working.

 

Solution: we have to go to Device>platform>icmp and add the rule on top for global DNS ip 8.8.4.4 and 8.8.8.8 and allow on both outside interfaces and below of them we can create for specific outide public ip to ping over outside,outside1 interfaces. Global DNS rule is the mandatory field. Then after it has started working effecting anything.

 

Solution for PBR fail over: if you are using FTD ver 6.3.0 and PBR failure is not working after the correct configuration then u can consider as Bug CSCvn0307, and this bug will get fixed by ver 6.3.0.1

 

Thanks you so much

 

Indu Bhushan

Hello!  I noticed that I can ping an external address on our FTD. I would like to turn this off... I have looked at the access control policy and the Device > Platform > ICMP settings, and I do not see any indication that this is allowed. Does anyone know where else I could look to turn this off? 

Review Cisco Networking for a $25 gift card