Solved: Ping thru a Cisco Firepower 2130 FTD inside to outside devices

DSterling · ‎02-10-2025

I have tried and tried, here is a better explanation of what I'm trying to do: I want to be able to ping from switch 1 thru the inside interface to switch 2 connected to the outside interface.

It seems that I should be able to create a policy rule like this below that would allow everything: I applied the below service policy rule:

Source Networks Ports Destination Networks Ports/Protocols
inside any any outside any any
outside inside

I still can't ping thru the FW.

I can ping the inside 192.168.28.8 from SW1 and the outside 192.168.38.8 from SW2.

I can ping from the FW to SW1 and SW2, but only on the interface they are connected (inside to SW1 and outside to SW2). I can't ping thru the FW from the inside to SW2 or from the outside to SW1.

FYI: I have static routing setup on the switches.

No NAT, it's a very basic setup.

I want to be able to icmp/ping from SW1 (192.168.28.2) to SW2 (192.168.38.3) and SW2 to SW1?

It seems like such a simple thing to do, but I haven't been able to get it to work. Does anyone have any ideas?

Thank you,

Dave

DSterling · ‎02-12-2025

I'm going to close this and open a new question.

View solution in original post

Aref Alsouqi · ‎02-10-2025

Yes you can do that, however please keep in mind that if you try to ping an interface of the FTD coming from an opposite interface that will not work. For instance, if you try to ping outside interface of the FTD itself from a host connected to the inside interface that will not work and this is by design. To allow the pass through ICMP traffic you just need to create a couple of security rule to allow it. One rule will be with the source inside zone and the destination outside zone, and the second one would be with the zones inverted. You can create a single rule having the inside and outside zones in both source and destination zones. You can also specify the subnets and you need to specify ICMP "ports". Echo type is 8 with code 0, and echo reply is type 0 with no code ID.

DSterling · ‎02-11-2025

I have tried and tried, here is a better explanation of what I'm trying to do: I want to be able to ping from switch 1 thru the inside interface to switch 2 connected to the outside interface and from SW2 to SW1.

It seems that I should be able to create a policy rule like this that would allow everything: I applied the below service policy rule:

Source Networks Ports Destination Networks Ports/Protocols
inside any any outside any any
outside inside

I still can't ping thru the FW.

I can ping the inside 192.168.28.8 from SW1 and the outside 192.168.38.8 from SW2.

I can ping from the FW to SW1 and SW2, but only on the interface they are connected (inside to SW1 and outside to SW2). I can't ping thru the FW from the inside to SW2 or from the outside to SW1.

I want to be able to icmp/ping from SW1 to SW2 and SW2 to SW1?

FYI: I have static routing setup on the switches.

Aref Alsouqi · ‎02-12-2025

Do you have any NAT rule applied on the firewall? if so, how it looks like? it could be that the NAT rule is translating the traffic between the two switches, hence it's not working when you try to use the original IP addresses. Also, what default gateway have you configured on the endpoints connected to each switch?

DSterling · ‎02-12-2025

No NAT, it's a very basic, basic setup.

Aref Alsouqi · ‎02-12-2025

Could you please share the sanitized configs for review?

DSterling · ‎02-12-2025

I'm going to close this and open a new question.