cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21266
Views
10
Helpful
16
Replies

Traceroute through FTD

Colin Higgins
Level 2
Level 2

I am trying to get traceroute to work from my internal network to the Internet through a FTD2110 managed by FMC running 6.2.3 code

 

I created an access policy allowing ICMP type 3 and 11 from the outside to the inside. I added ICMP permit statements in the Platform Settings for the device (3 and 11 on the outside interface to any-ipv4).

 

I also added the Flex config statement to decrement the TTL

 

But this still isn't working. Is this a bug? Unsupported? 

2 Accepted Solutions

Accepted Solutions

Here's what the relevant bits in an FTD running-config should look like:

 

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>
!
policy-map global_policy
<snip>
  inspect icmp 
  inspect icmp error 
 class class-default
 <snip>
 set connection decrement-ttl

 

Can you confirm you have those?

 

If so, have you tried a packet-tracer diagnostic and what does it show?

View solution in original post

Yes. I just confirmed it in my lab.

FDM Decrement TTLFDM Decrement TTL

View solution in original post

16 Replies 16

Unfortunately, that isn't working either

 

the GUI doesn't interpret the rule correctly--when you try to add OSPF(89) as a port, it simply defaults to "any"

 

But that isn't the underlying problem. The issue I am having is that the FTD won't pass the traceroute traffic period--it is dropping the ICMP on the outside interface. I don't even get to the TTL issue

 

(wishing we were still using the ASA ...)

Have you seen the instructions at packetu.com? Paul Stewart does a nice job of walking through the necessary configuration there:

 

https://packetu.com/2018/08/12/traceroute-through-firepower-threat-defense/

 

I have it working like that on several FTD deployments.

yes I did, and verified the configuration in CLI. Everything looks correct.

 

Here's what the relevant bits in an FTD running-config should look like:

 

icmp permit any time-exceeded <your outside interface name>
icmp permit any unreachable <your outside interface name>
!
policy-map global_policy
<snip>
  inspect icmp 
  inspect icmp error 
 class class-default
 <snip>
 set connection decrement-ttl

 

Can you confirm you have those?

 

If so, have you tried a packet-tracer diagnostic and what does it show?

i turns out that there was another rule in the access policy that was higher up and causing the problem.

Hi 

 

Is this supported on FTD 6.5 FDM to enable the FW as a hop on the traceroute?

 

thanks.

Yes. I just confirmed it in my lab.

FDM Decrement TTLFDM Decrement TTL

I noticed you can set a ICMP policy for FTD via FMC under Platform settings. Anyways, I tried creating a policy to deny ICMP any in there for Outside interface but it did not work. Is just creating a flex config the best way to deny ICMP on let's say Outside interface?

@CiscoBrownBelt you'd only use flexconfig if configuring a control plane ACL. ICMP "to* to FTD is controlled separately via platform settings. Controlling traffic "through" the FTD is via the ACP rules.

Great thanks again. Thats what I initially tried but it never applied given an error - had to just choose IPv4 networks as source.

If I want to still be able to ping out the interface, you need to still do an allow because an implicit deny is applied to these platform policies correct? If I block code 0 (even tried 8), then add a permit any icmp after it, it does not disable ping replies but does allow pings out. 

@CiscoBrownBelt If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types, you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/platform_settings_for_firepower_threat_defense.html?bookSearch=true#task_42BBA666CD604517ADA18B32CA162F62

 

 

Nevermind looks like in running config the permit any is being processed first as opposed to how I see it in the FMC GUI

Review Cisco Networking for a $25 gift card