Re: FTD can't reach the internet or the router - Page 2

moha27med · ‎02-17-2023

Hello Guys
I made this Lab in Gns3 to prepare myself for my CCNP Security exam
Everything work fine, I configure the FTD through FMC, I gave IPs for outside & inside interfaces
also, I have configured NAT and Static route, the issue is that FTD can't reach the internet (so I can't ping to 192.168.122.1)
really I don't know what is the problem, maybe could someone help me

UPDATE: there is no Problem with INTERNET ISP, I have tested with router and PC is pingable

moha27med · ‎02-20-2023

UPDATE!!!
I found the Problem, the issue in FW FTD, it DOESN'T ping to all direction also to Inside area and DMZ.
There is a ping between Router and Internet,
but I still don't know why the FW doesn't ping at all, I check the ACL through FMC, but there are no restrictions;

MHM Cisco World · ‎02-20-2023

Configure ICMP Access Rules

By default, you can send ICMP packets to any interface using either IPv4 or IPv6, with these exceptions:

The FTD does not respond to ICMP echo requests directed to a broadcast address.
The FTD only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

To protect the device from attacks, you can use ICMP rules to limit ICMP access to interfaces to particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action.

If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types, you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.

We recommend that you always grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and PPTP traffic. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process.

Before you begin

Ensure that the objects needed in the rules already exist. Select Objects > Object Management to configure objects. You need network objects that define the desired hosts or networks, and port objects that define the ICMP message types you want to control.

Procedure

Step 1	Select Devices > Platform Settings and create or edit the FTD policy.
Step 2	Select ICMP.
Step 3	Configure ICMP rules. Click Add to add a new rule, or click Edit to edit an existing rule. Configure the rule properties: Action—Whether to permit (allow) or deny (drop) matching traffic. ICMP Service—The port object that identifies the ICMP message type. Network—The network object that identifies the hosts or networks whose access you are controlling. Security Zones—Add the zones that contain the interfaces that you are protecting. For interfaces not in a zone, you can type the interface name into the field below the Selected Security Zone list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones. Click OK.
Step 4	(Optional.) Set rate limits on ICMPv4 Unreachable messages. Rate Limit—Sets the rate limit of unreachable messages, between 1 and 100 messages per second. The default is 1 message per second. Burst Size—Sets the burst rate, between 1 and 10. This value is not currently used by the system.
Step 5	Click Save. You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Sheraz.Salim · ‎02-20-2023

The purpose of the security appliance is to be silent and its not mandatory to respond to each single packet (arp/ip/dhcp) etc.

Most of the feature of FTD are inherited from ASA. as under the hood FTD is more like LINA and CLISH.

please do not forget to rate.