Solved: Re: Traceroute through FTD

Colin Higgins · ‎01-31-2019

I am trying to get traceroute to work from my internal network to the Internet through a FTD2110 managed by FMC running 6.2.3 code

I created an access policy allowing ICMP type 3 and 11 from the outside to the inside. I added ICMP permit statements in the Platform Settings for the device (3 and 11 on the outside interface to any-ipv4).

I also added the Flex config statement to decrement the TTL

But this still isn't working. Is this a bug? Unsupported?

Marvin Rhoads · ‎02-01-2019

Here's what the relevant bits in an FTD running-config should look like:

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>
!
policy-map global_policy
<snip>
  inspect icmp 
  inspect icmp error 
 class class-default
 <snip>
 set connection decrement-ttl

Can you confirm you have those?

If so, have you tried a packet-tracer diagnostic and what does it show?

View solution in original post

Marvin Rhoads · ‎11-25-2019

Yes. I just confirmed it in my lab.

FDM Decrement TTL

View solution in original post

Sheraz.Salim · ‎01-31-2019

check link

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html#id_71096

please do not forget to rate.

Colin Higgins · ‎01-31-2019

Unfortunately, that isn't working either

the GUI doesn't interpret the rule correctly--when you try to add OSPF(89) as a port, it simply defaults to "any"

But that isn't the underlying problem. The issue I am having is that the FTD won't pass the traceroute traffic period--it is dropping the ICMP on the outside interface. I don't even get to the TTL issue

(wishing we were still using the ASA ...)

Marvin Rhoads · ‎01-31-2019

Have you seen the instructions at packetu.com? Paul Stewart does a nice job of walking through the necessary configuration there:

https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/

I have it working like that on several FTD deployments.

Colin Higgins · ‎01-31-2019

yes I did, and verified the configuration in CLI. Everything looks correct.

Marvin Rhoads · ‎02-01-2019

Here's what the relevant bits in an FTD running-config should look like:

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>
!
policy-map global_policy
<snip>
  inspect icmp 
  inspect icmp error 
 class class-default
 <snip>
 set connection decrement-ttl

Can you confirm you have those?

If so, have you tried a packet-tracer diagnostic and what does it show?

Colin Higgins · ‎02-18-2019

i turns out that there was another rule in the access policy that was higher up and causing the problem.

gcube · ‎11-25-2019

Hi

Is this supported on FTD 6.5 FDM to enable the FW as a hop on the traceroute?

thanks.

Marvin Rhoads · ‎11-25-2019

Yes. I just confirmed it in my lab.

FDM Decrement TTL

CiscoBrownBelt · ‎07-18-2023

I noticed you can set a ICMP policy for FTD via FMC under Platform settings. Anyways, I tried creating a policy to deny ICMP any in there for Outside interface but it did not work. Is just creating a flex config the best way to deny ICMP on let's say Outside interface?

Rob Ingram · ‎07-18-2023

@CiscoBrownBelt you'd only use flexconfig if configuring a control plane ACL. ICMP "to* to FTD is controlled separately via platform settings. Controlling traffic "through" the FTD is via the ACP rules.

CiscoBrownBelt · ‎07-19-2023

Great thanks again. Thats what I initially tried but it never applied given an error - had to just choose IPv4 networks as source.

CiscoBrownBelt · ‎07-19-2023

If I want to still be able to ping out the interface, you need to still do an allow because an implicit deny is applied to these platform policies correct? If I block code 0 (even tried 8), then add a permit any icmp after it, it does not disable ping replies but does allow pings out.

Rob Ingram · ‎07-19-2023

@CiscoBrownBelt If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types, you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/platform_settings_for_firepower_threat_defense.html?bookSearch=true#task_42BBA666CD604517ADA18B32CA162F62

CiscoBrownBelt · ‎07-19-2023

Nevermind looks like in running config the permit any is being processed first as opposed to how I see it in the FMC GUI