Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
1
Helpful
8
Replies

Firewall 1000 issue

GatLMCO
Level 1
Level 1

‎11-16-2023 11:07 AM

I have a LAN composed of PC to Switch, Switch to Firewall, Firewall to Router. Switch can ping the Router across Firewall FTD, and vice-versa Router can ping the Switch. The PC can ping the Switch, PC can ping the Firewall inside interface, but PC cannot ping the Router, what could be missing?

Labels:
0 Helpful
8 Replies 8

M02@rt37
VIP
VIP

‎11-16-2023 11:11 AM - edited ‎11-16-2023 11:12 AM

Hello @GatLMCO 

Miss the rule on Firewall ?

Do a "tcpdump" on the Firewall on the outiside interface and do a ping towards Router from PC. Check if you see the packet. 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

GatLMCO
Level 1
Level 1
In response to M02@rt37

‎11-16-2023 11:53 AM

Hi,
Thanks for your response.
-ACL rules setup to allow traffic from in an out of the firewall, and appears to be working fine for networked devices. Not for the PC. I am able also ping the PC from the Router that is connected to the outside interface of the Firewall.
-I have tried "system support trace" from the PC to Router on the outside interface of the FW, but I get no response. If I try the same from Router to Switch all looks good.
0 Helpful

M02@rt37
VIP
VIP
In response to GatLMCO

‎11-16-2023 12:13 PM - edited ‎11-16-2023 12:58 PM

@GatLMCO 

Desactivate the PC Firewall please @GatLMCO 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Rob Ingram
VIP
VIP

‎11-16-2023 11:12 AM - edited ‎11-16-2023 11:13 AM

@GatLMCO

Do you have a NAT rule for the network the PC is on to translate the traffic?
If not using NAT are there routes on the routers for the PC's network via the FTD interface?
Is there a host based firewall on the PC that could block the ping from the router?
Do you have the Access Control rules to permit the traffic between the router and the PC?

Run packet-tracer from the CLI to simulate the traffic flow from the router to the PC and provide the output for review

0 Helpful

GatLMCO
Level 1
Level 1
In response to Rob Ingram

‎11-28-2023 08:20 AM

I have Access Control rules to permit traffic between Switch to Firewall to Router, and vice-versa. Ping works for all except, PC is not able to ping the router, or router the PC. However, PC can ping the Switch and FTD inside interface, and vice-versa. How would you setup an Access Control rule to permit the traffic between the router and the PC?

If there is already a implicit ACL rule to permit traffic between Switch and Router and vice-versa would it not suffice for the PC connected to an access port on Switch?

0 Helpful

Rob Ingram
VIP
VIP
In response to GatLMCO

‎11-28-2023 09:13 AM

@GatLMCO if you have an ACL to permit traffic between the switch and the router, then no it would not necessarily suffice for the permitting traffic to/from the PC. What does the Access Control rule look like?

Did you run packet-tracer from the CLI like previously suggested? This will provide a clue to where the issue lies.

0 Helpful

MHM Cisco World
VIP
VIP

‎11-16-2023 11:22 AM - edited ‎11-16-2023 11:33 AM

add icmp inspection to FW (no need it FTD so by default it have icmp inspect)
also make sure that the router know prefix of PC for return back traffic 

0 Helpful

Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎11-16-2023 11:27 AM

FYI an FTD already has icmp inspection enabled as default.

Customers Also Viewed These Support Documents