cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
1
Helpful
8
Replies

Firewall 1000 issue

GatLMCO
Level 1
Level 1

I have a LAN composed of PC to Switch, Switch to Firewall, Firewall to Router. Switch can ping the Router across Firewall FTD, and vice-versa Router can ping the Switch. The PC can ping the Switch, PC can ping the Firewall inside interface, but PC cannot ping the Router, what could be missing?

8 Replies 8

M02@rt37
VIP
VIP

Hello @GatLMCO 

Miss the rule on Firewall ?

Do a "tcpdump" on the Firewall on the outiside interface and do a ping towards Router from PC. Check if you see the packet. 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hi,
Thanks for your response.
-ACL rules setup to allow traffic from in an out of the firewall, and appears to be working fine for networked devices. Not for the PC. I am able also ping the PC from the Router that is connected to the outside interface of the Firewall.
-I have tried "system support trace" from the PC to Router on the outside interface of the FW, but I get no response. If I try the same from Router to Switch all looks good.

@GatLMCO 

Desactivate the PC Firewall please @GatLMCO 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

@GatLMCO

Do you have a NAT rule for the network the PC is on to translate the traffic?
If not using NAT are there routes on the routers for the PC's network via the FTD interface?
Is there a host based firewall on the PC that could block the ping from the router?
Do you have the Access Control rules to permit the traffic between the router and the PC?

Run packet-tracer from the CLI to simulate the traffic flow from the router to the PC and provide the output for review

I have Access Control rules to permit traffic between Switch to Firewall to Router, and vice-versa. Ping works for all except, PC is not able to ping the router, or router the PC. However, PC can ping the Switch and FTD inside interface, and vice-versa. How would you setup an Access Control rule to permit the traffic between the router and the PC?

If there is already a implicit ACL rule to permit traffic between Switch and Router and vice-versa would it not suffice for the PC connected to an access port on Switch?

@GatLMCO if you have an ACL to permit traffic between the switch and the router, then no it would not necessarily suffice for the permitting traffic to/from the PC. What does the Access Control rule look like?

Did you run packet-tracer from the CLI like previously suggested? This will provide a clue to where the issue lies.

add icmp inspection to FW (no need it FTD so by default it have icmp inspect)
also make sure that the router know prefix of PC for return back traffic 

FYI an FTD already has icmp inspection enabled as default.