cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14598
Views
5
Helpful
11
Replies

Unable to ping inside -> out from behind FTD 6.1

We are currently running an FTD evaluation in our test environment and running into a small, but annoying issue. We are unable to ping from a host on the inside on the inside to an IP on the internet (8.8.8.8 for example), I simply get "request timed out" from the host. I am however able to browse the web over the FTD. The only only thing I have found that stands out are the counters in NAT:


1 (inside) to (outside) source dynamic Broadmoor interface
    translate_hits = 3005, untranslate_hits = 2895


The untranslate_hits increases only when I ping from the inside out to the internet. I've looked over the NAT setup and everything looks correct. We had access to the beta of 6.1 in the past (with the same setup) and this was not an issue. Was something added to the live release that I am missing?

1 Accepted Solution

Accepted Solutions

An ACL will do it, but that opens things up a bit too much for most purposes.

You will have to wait until 6.2 (coming out next month we hope) to modify the inspection policies.

Think of FTD 6.1 as a "1.0" release - still pretty brand new. 

View solution in original post

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

ICMP inspection should be turned on by default in FTD. I don't have a 6.1 box in fornt of me but I know I just verified in in a 6.2 lab this week.

It doesn't show up in the device manager but you can check it in the running configuration if you login via the command prompt.

If it's not inspecting ICMP, you cannot change inspections in 6.1. That feature will be in 6.2 via Flex Configs.

Thanks for your help. I checked in the running config and did not see ICMP in the list of inspected items. I ended up creating an access policy allowing ICMP (under the applications tab) from outside -> inside, but I have no idea if that is the correct way to handle such a problem, FTD is very new to me, as I am sure is the case for many people. Is there a way to edit the list of inspected items from within the Firepower Management Center?

An ACL will do it, but that opens things up a bit too much for most purposes.

You will have to wait until 6.2 (coming out next month we hope) to modify the inspection policies.

Think of FTD 6.1 as a "1.0" release - still pretty brand new. 

That's exciting news about 6.2, I had heard March for a release.

Thank you for your help.

I checked the beta version of FTD 6.1 and sure enough inspect icmp is in the list, I wonder why they removed it from the final release?

We just encountered the same issue on a FTD 6.2 and the fix was to add Default_Inspection_Enable to the FlexConfig policy and add 'icmp' to the 'enableInspectProtocolList' overrides.

This adds icmp to the 'policy-map global_policy' after which the ping was working.

Hi Alexander,

Can you please confirm how you did this on 6.2 as I am having issues pinging the IP addresses of interfaces configured.

Looking at the CLI, it already has an inspect ICMP but this is not working.

How did you create the variable ICMP?

Your help would be very much appreciated.

The icmp inspection is only required for icmp packets going through the ASA, not to the ASA.

For to the ASA you need to allow the IPs to e.g. send echo-request packets to the interface via the system policy.

Hi,

Thanks a lot, adding icmp to the 'enableInspectProtocolList' overrides permit the icmp through FTD 6.2.0 to be reachable.

Do you know if there is a best practices doc or basic todo list on FTD 6.x ?


@Alexander Hartmaier wrote:

We just encountered the same issue on a FTD 6.2 and the fix was to add Default_Inspection_Enable to the FlexConfig policy and add 'icmp' to the 'enableInspectProtocolList' overrides.

This adds icmp to the 'policy-map global_policy' after which the ping was working.



Hi Alexander Hartmaier ,

 

Can you provide the step to execute ?

 

Thanks you!

HI Marvin

 

i am still not able to ping after doing ICMP inspection and allowed ICMP in bidirectional policy but i am able to access other application like RDP between host in different VLANs. 

FTD version is  6.2.1 and FMC version is 6.2.2.

 

should i need to upgrade FTD version 6.2.1 to 6.2.2 or it can be something else ?

 

 

Review Cisco Networking for a $25 gift card