05-31-2018 12:30 PM - edited 02-21-2020 07:50 AM
Hi,
when pinging from within the ASA box running FTD 6.2 it fails. The configuration is out of the box so nothing strange there.
For example:
> ping system www.cisco.com
PING e2867.dsca.akamaiedge.net (104.103.88.32) 56(84) bytes of data.
^C
--- e2867.dsca.akamaiedge.net ping statistics ---
27 packets transmitted, 0 received, 100% packet loss, time 26006ms
I have connectivity from hosts in inside zone to the internet but can not ping through the box. I recall in classic ASA OS ,i should enable icmp inspect in order for this to work, is this the same case with this ASA running the FTD software?
Thank you all!
05-31-2018 11:03 PM
There was a release in which they broke the icmp inspect (6.1 maybe?), but on 6.2 it should be there by default. You can check your Lina (legacy ASA code) section of the configuration from the cli and confirm:
> show running-config policy-map global_policy ! policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error class class-default set connection advanced-options UM_STATIC_TCP_MAP set connection decrement-ttl ! >
Note I do have decrement-ttl in there via Flexconfig to make traceroute work properly through the firewall.
"ping system" will use the management interface. Is there a route. ACL and NAT rule along the path that will allow that traffic? If there is, it should work.
Cisco Fire Linux OS v6.2.3 (build 13) Cisco Firepower Threat Defense for VMWare v6.2.3.1 (build 43) > ping system www.cisco.com PING e2867.dsca.akamaiedge.net (104.103.33.21) 56(84) bytes of data. 64 bytes from a104-103-33-21.deploy.static.akamaitechnologies.com (104.103.33.21): icmp_seq=1 ttl=60 time=26.6 ms
06-01-2018 02:46 AM
Hello Marvin, thanks for the reply.
Yes, the inspect rule is there :
> show running-config policy-map global_policy
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
The NAT rule is there:
See png attached.
The ACL you mentioned i am not sure if it is needed as traffic is inspected.
In addition , name resolution works fine:
> nslookup www.cisco.com
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
www.cisco.com canonical name = www.cisco.com.akadns.net.
www.cisco.com.akadns.net canonical name = wwwds.cisco.com.edgekey.net.
wwwds.cisco.com.edgekey.net canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns.net.
wwwds.cisco.com.edgekey.net.globalredir.akadns.net canonical name = e2867.dsca.akamaiedge.net.
Name: e2867.dsca.akamaiedge.net
Address: 104.103.88.32
But ping still fails:
> ping system www.cisco.com
PING e2867.dsca.akamaiedge.net (104.103.88.32) 56(84) bytes of data.
^C
--- e2867.dsca.akamaiedge.net ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7005ms
Thanks.
06-01-2018 08:43 PM
Hmm - yes it appears you have all the bits in place to allow the traffic. From what you've shared I'm not sure why it isn't working.
I'd suggest a packet capture but it appears you're running FDM which doesn't currently support that. Perhaps you could try doing a packet-tracer from the cli to check the flow.
06-04-2018 03:54 AM
Hi Marvin
i followed a different approach and decided to change the Management IP settings as you can see in the png attached.
Now i can do successful system pings without adding any ACL or NAT rule.
For example:
> ping system www.cisco.com
PING e2867.dsca.akamaiedge.net (104.103.88.32) 56(84) bytes of data.
64 bytes from a104-103-88-32.deploy.static.akamaitechnologies.com (104.103.88.32): icmp_seq=1 ttl=59 time=27.7 ms
64 bytes from a104-103-88-32.deploy.static.akamaitechnologies.com (104.103.88.32): icmp_seq=2 ttl=59 time=27.8 ms
and :
> ping 104.103.88.32
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 104.103.88.32, timeout is 2 seconds:
!!!!!
One thing that bothers me is that the NTP server is always grayed out in the home screen of the ASA and from the command line it does not get updated.
> show ntp
NTP Server : 91.217.155.60 (dbs01.microbase.net.gr, dbs02.microbase.net.gr)
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : - (seconds)
NTP Server : 37.58.57.238 (de.danzuck.eu)
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : - (seconds)
NTP Server : 155.207.113.227 (postmortem.csd.auth.gr)
Status : Unknown
Offset : 0.000 (milliseconds)
Last Update : - (seconds)
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide