Solved: Ping to FTD interface

Moon1998 · ‎11-01-2019

Hi guys,

I am having issues pinging my FTD internal interfaces. I can actually ping WAN interface, no issue there. But for LAN interface packet tracer says "no route". I can ping the hosts inside the LAN. There are no specific ICMP rules in Device Platform Policy on FMC. Any suggestions?

10.50.31.97/27 is my LAN interface.

Trace to host inside LAN:

> packet-tracer input WAN icmp 10.11.28.169 0 0 10.50.31.97

Result:
input-interface: WAN
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

> packet-tracer input WAN icmp 10.11.28.169 0 0 10.50.31.98

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.50.31.98 using egress ifc LAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
..etc

Trace to WAN interface:

> packet-tracer input WAN icmp 10.11.28.169 0 0 10.11.39.106

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.11.39.106 using egress ifc identity

..etc

Thanks.

Rob Ingram · ‎11-01-2019

Hi,
That is to be expected. An FTD/ASA only responds to ICMP traffic sent to the interface that traffic comes in on. So you cannot ping from the WAN interface through the firewall to LAN interface, that's by design.

HTH

View solution in original post

Rob Ingram · ‎11-01-2019

Hi,
That is to be expected. An FTD/ASA only responds to ICMP traffic sent to the interface that traffic comes in on. So you cannot ping from the WAN interface through the firewall to LAN interface, that's by design.

HTH

Moon1998 · ‎11-01-2019

Ah, missed that ;-)

Thanks!