Does anyone have an FTD based firewall running, where traceroute through it works ?
In ASA, enabling inspection of icmp/icmp error, allowed traceroute to match icmp replies and allow them, without having to open icmp return packets on the outside interface.
This as far as i can tell, is not the case with FTD, I have no policies allowing any traffic from outside->inside, which is what i wan't. The FTD is not blocking the return packets for http/https or any other regular protocol, however it does seem to be blocking the return icmp packets, it seems like the old-style ASA icmp/icmp error inspection, is not working like it used to.
Anyone having problems with traceroute and FTD also ?
There is a bug with 6.1, 6.2 (and even the soon-to-be-released 6.2.1) that may apply to your issue:
The Bug description doesn't say so, but you should be able to use FlexConfig on 6.2+ to add the inspect statements back into the configuration.
Thanks for the update. the BugID needs to be updated to show 184.108.40.206 as a known fixed release.
Unfortunately the fix did not make it in to 6.2.1. Maybe 6.2.2...?
Yes, The fix will be integrated for 6.2.2. We are also trying to get a document out with details. (Specially for FP2100 devices). I will correct the bug fixed versions.
... wish I had found this thread earlier. Been bashing my head for quite a few days.
Can anyone confirm this was actually fixed? I'm running 220.127.116.11 on my lab device and the echo reply is still being blocked by the FTD sensor for any hops in the path. It works though for the destination address, but I could then just use a simple ping for that...
Here's my working configuration that allows both icmp reachability and proper traceroute output (i.e. with first route at FTD firewall reported) from my setup. Basically icmp is being inspected by default but I needed to add the echo replies (both Windows and Unix style) inbound (a platform setting) and also set my policy-map to decrement TTL ( a FlexConfig setup).
Sorry but no - FDM does not support FlexConfigs.
Those are one of several configuration options not supported via FDM. Others include:
multiple local users
certificates (other than the self-signed one)*
centralized management of multiple devices
*limited certificate support is now available - no CSR capability.
Thank you again :) haha you have removed the site-to-site VPN from the list, thats correct :)
...but I will check that with the certificates double, as I saw an option to upload your own.
Hopefully cisco pushes the development a little bit more for the FTD.
Thanks Leon for pointing out the certificate bit. I updated my earlier post to correct it.
I had missed that but found it when I dug into my ASA 5506 running FTD with FDM.
It looks like you can upload but need to generate the key off-box (i.e. no Certificate Signing Request capability). So the super simple GUI requires you also be handy with openssl cli to generate a private key and CSR and then send it off to your CA.