Logical Device FTD/Firepower Threat Defense)
Firepower Chassis (4100) -> FXOS CLI or https://managementIP (FCM/Firepower Chassis Manager)
Remarks:
Logical Device can be instance Container -> multiple FTDs are possible.
(container creation is only possible from FMC?)
ASDM
🔝
ASA
Troubleshooting:
packet-tracer simulates a flow and shows the result
https://networkology.net/2013/03/06/using-packet-tracer-for-validating-icmp-traffic/
TCP and UDP being statefully inspected by default, you just have to run the packet-tracer on the source interface and you can be sure the return traffic will be allowed through. With ICMP, it’s a different story.
Because the ASA does not statefully inspect ICMP packets (by default) you have to vouch for the return packets as well. So you’ll be running two packet-tracer commands to verify that ICMP packets go through and come back.
So here’s how you verify ICMP echo and echo-reply using packet-tracer;
For verifying echo packets, type=8 code=0
packet-tracer input inside icmp 10.1.1.2 8 0 172.21.1.2 detailedFor verifying echo-reply packets, type=0 code=0
packet-tracer input outside icmp 172.21.1.2 0 0 10.1.1.2 detailedPacket-tracer does more than just inject a 'virtual' packet into the data-plane. One can also add the 'trace' option to the capture command, so that actual packets the security appliance receives (which are matched by the capture) are also traced.
access-list icmp8844 extended permit icmp any4 host 8.8.4.4 access-list icmp8844 extended permit icmp host 8.8.4.4 any4
capture myicmp type raw-data access-list icmp8844 trace interface TYPE2-INSIDE capture myicmpreturn type raw-data access-list icmp8844 trace interface TYPE2-OUTSIDE
To view the packet-trace from captured packet #3 in the capture, use the command: ASA# "show capture mycap trace packet-number 3"
