Solved: Unable to ping inside -> out from behind FTD 6.1

Philip Straatsma · ‎10-12-2016

We are currently running an FTD evaluation in our test environment and running into a small, but annoying issue. We are unable to ping from a host on the inside on the inside to an IP on the internet (8.8.8.8 for example), I simply get "request timed out" from the host. I am however able to browse the web over the FTD. The only only thing I have found that stands out are the counters in NAT:

1 (inside) to (outside) source dynamic Broadmoor interface
translate_hits = 3005, untranslate_hits = 2895

The untranslate_hits increases only when I ping from the inside out to the internet. I've looked over the NAT setup and everything looks correct. We had access to the beta of 6.1 in the past (with the same setup) and this was not an issue. Was something added to the live release that I am missing?

Marvin Rhoads · ‎10-12-2016

An ACL will do it, but that opens things up a bit too much for most purposes.

You will have to wait until 6.2 (coming out next month we hope) to modify the inspection policies.

Think of FTD 6.1 as a "1.0" release - still pretty brand new.

View solution in original post

Marvin Rhoads · ‎10-12-2016

ICMP inspection should be turned on by default in FTD. I don't have a 6.1 box in fornt of me but I know I just verified in in a 6.2 lab this week.

It doesn't show up in the device manager but you can check it in the running configuration if you login via the command prompt.

If it's not inspecting ICMP, you cannot change inspections in 6.1. That feature will be in 6.2 via Flex Configs.

Philip Straatsma · ‎10-12-2016

Thanks for your help. I checked in the running config and did not see ICMP in the list of inspected items. I ended up creating an access policy allowing ICMP (under the applications tab) from outside -> inside, but I have no idea if that is the correct way to handle such a problem, FTD is very new to me, as I am sure is the case for many people. Is there a way to edit the list of inspected items from within the Firepower Management Center?

Marvin Rhoads · ‎10-12-2016

An ACL will do it, but that opens things up a bit too much for most purposes.

You will have to wait until 6.2 (coming out next month we hope) to modify the inspection policies.

Think of FTD 6.1 as a "1.0" release - still pretty brand new.

Philip Straatsma · ‎10-12-2016

That's exciting news about 6.2, I had heard March for a release.

Thank you for your help.

Philip Straatsma · ‎10-12-2016

I checked the beta version of FTD 6.1 and sure enough inspect icmp is in the list, I wonder why they removed it from the final release?

Alexander Hartmaier · ‎01-31-2017

We just encountered the same issue on a FTD 6.2 and the fix was to add Default_Inspection_Enable to the FlexConfig policy and add 'icmp' to the 'enableInspectProtocolList' overrides.

This adds icmp to the 'policy-map global_policy' after which the ping was working.

inderpalsogi · ‎02-22-2017

Hi Alexander,

Can you please confirm how you did this on 6.2 as I am having issues pinging the IP addresses of interfaces configured.

Looking at the CLI, it already has an inspect ICMP but this is not working.

How did you create the variable ICMP?

Your help would be very much appreciated.

Alexander Hartmaier · ‎02-22-2017

The icmp inspection is only required for icmp packets going through the ASA, not to the ASA.

For to the ASA you need to allow the IPs to e.g. send echo-request packets to the interface via the system policy.

ssambourg · ‎03-29-2017

Hi,

Thanks a lot, adding icmp to the 'enableInspectProtocolList' overrides permit the icmp through FTD 6.2.0 to be reachable.

Do you know if there is a best practices doc or basic todo list on FTD 6.x ?

Sophalla · ‎08-06-2019

@Alexander Hartmaier wrote:
We just encountered the same issue on a FTD 6.2 and the fix was to add Default_Inspection_Enable to the FlexConfig policy and add 'icmp' to the 'enableInspectProtocolList' overrides.
This adds icmp to the 'policy-map global_policy' after which the ping was working.

Hi Alexander Hartmaier ,

Can you provide the step to execute ?

Thanks you!

hashimwajid1 · ‎10-17-2017

HI Marvin

i am still not able to ping after doing ICMP inspection and allowed ICMP in bidirectional policy but i am able to access other application like RDP between host in different VLANs.

FTD version is 6.2.1 and FMC version is 6.2.2.

should i need to upgrade FTD version 6.2.1 to 6.2.2 or it can be something else ?