Solved: how to edit fmc inspection policy for ping ?

baselzind · ‎11-20-2018

i have fmc with Cisco Firepower 2110 ftd , i can browse the internet from inside fine but i cannot ping any outside ip address , i think it is denied in the inspection policy but i cant seem to find it in the fmc? where is the inspection policy in fmc?

Abheesh Kumar · ‎11-20-2018

Hi,
You can enable disable inspection policy from cli.
> configure inspection icmp disable

You can also create flex config to disable inspections. Create flex config as below and bind to FTD

policy-map global_policy
class inspection_default
no inspect icmp

HTH

Abheesh

View solution in original post

Abheesh Kumar · ‎11-20-2018

Hi,
You can enable disable inspection policy from cli.
> configure inspection icmp disable

You can also create flex config to disable inspections. Create flex config as below and bind to FTD

policy-map global_policy
class inspection_default
no inspect icmp

HTH

Abheesh

baselzind · ‎11-26-2018

is "> configure inspection icmp disable" done on ftd or fmc , and if on fmc how do i do it as it isnt accepting it , i think there is pre-commands to be able to insert it as im getting the input in this form "admin@firepower:~$"?

Abheesh Kumar · ‎11-26-2018

You need to do it on FTD not FMC.

You can also create a rule in ACP to allow ping.

HTH

Abheesh

Marvin Rhoads · ‎11-26-2018

You need to "inspect icmp" for ping to work.

Otherwise the FTD doesn't keep track of the icmp flows and thus when the icmp echo reply is received it is not recognized as part of an existing flow and is dropped.

Note if you want traceroute to work, even more configuration is required. Paul Stewart explains how here:

https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/