cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
574
Views
0
Helpful
4
Replies

ICMP from within the ASA 5506-x with FTD 6.2 fails

Hi,

 

when pinging from within the ASA box running FTD 6.2 it fails. The configuration is out of the box so nothing strange there.

For example:

 

> ping  system www.cisco.com
PING e2867.dsca.akamaiedge.net (104.103.88.32) 56(84) bytes of data.

^C
--- e2867.dsca.akamaiedge.net ping statistics ---
27 packets transmitted, 0 received, 100% packet loss, time 26006ms

 

I have connectivity from hosts in inside zone to the internet but can not ping through the box.  I recall in classic ASA OS ,i should enable icmp inspect in order for this to work, is this the same case with this ASA running the FTD software?

 

Thank you all!

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

There was a release in which they broke the icmp inspect (6.1 maybe?), but on 6.2 it should be there by default. You can check your Lina (legacy ASA code) section of the configuration from the cli and confirm:

 

> show running-config policy-map global_policy
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
  set connection decrement-ttl
!
>

Note I do have decrement-ttl in there via Flexconfig to make traceroute work properly through the firewall.

 

"ping system" will use the management interface. Is there a route. ACL and NAT rule along the path that will allow that traffic? If there is, it should work.

 

Cisco Fire Linux OS v6.2.3 (build 13)
Cisco Firepower Threat Defense for VMWare v6.2.3.1 (build 43)

> ping system www.cisco.com
PING e2867.dsca.akamaiedge.net (104.103.33.21) 56(84) bytes of data.
64 bytes from a104-103-33-21.deploy.static.akamaitechnologies.com (104.103.33.21): icmp_seq=1 ttl=60 time=26.6 ms

Hello Marvin, thanks for the reply.

 

Yes, the inspect rule is there :

 

> show running-config policy-map global_policy
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!

The NAT rule is there:

See png attached.

 

The ACL you mentioned i am not sure if it is needed as traffic is inspected.

 

In addition , name resolution works fine:

> nslookup www.cisco.com
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
www.cisco.com   canonical name = www.cisco.com.akadns.net.
www.cisco.com.akadns.net        canonical name = wwwds.cisco.com.edgekey.net.
wwwds.cisco.com.edgekey.net     canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns.net.
wwwds.cisco.com.edgekey.net.globalredir.akadns.net      canonical name = e2867.dsca.akamaiedge.net.
Name:   e2867.dsca.akamaiedge.net
Address: 104.103.88.32

 

But ping still fails:

> ping system www.cisco.com
PING e2867.dsca.akamaiedge.net (104.103.88.32) 56(84) bytes of data.
^C
--- e2867.dsca.akamaiedge.net ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7005ms

 

Thanks.

Hmm - yes it appears you have all the bits in place to allow the traffic. From what you've shared I'm not sure why it isn't working.

 

I'd suggest a packet capture but it appears you're running FDM which doesn't currently support that. Perhaps you could try doing a packet-tracer from the cli to check  the flow.

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html#anc16

Hi Marvin

 

i followed a different approach and decided to change the Management IP settings as you can see in the png attached.

 

Now i can do successful system pings without adding any ACL or NAT rule.

For example:

> ping system www.cisco.com
PING e2867.dsca.akamaiedge.net (104.103.88.32) 56(84) bytes of data.
64 bytes from a104-103-88-32.deploy.static.akamaitechnologies.com (104.103.88.32): icmp_seq=1 ttl=59 time=27.7 ms
64 bytes from a104-103-88-32.deploy.static.akamaitechnologies.com (104.103.88.32): icmp_seq=2 ttl=59 time=27.8 ms

 

and :

> ping 104.103.88.32
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 104.103.88.32, timeout is 2 seconds:
!!!!!

 

One thing that bothers me is that the NTP server is always grayed out in the home screen  of the ASA and from the command line it does not get updated.

 

> show ntp
NTP Server                : 91.217.155.60  (dbs01.microbase.net.gr, dbs02.microbase.net.gr)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

NTP Server                : 37.58.57.238  (de.danzuck.eu)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

NTP Server                : 155.207.113.227  (postmortem.csd.auth.gr)
Status                    : Unknown
Offset                    : 0.000 (milliseconds)
Last Update               : - (seconds)

 

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: