KB ID 0001174
Problem
On a newly deployed FirePOWER service module I wanted to test connectivity and attempted to ping a public IP address. This is what happened;
> expert
admin@Petes-SFR:~$ ping 8.8.8.8
ping: icmp open socket: Operation not permitted
My first though was, “Well you have to set a default gateway on the SFR when you set it up, so the firewall is probably blocking ICMP”. So I checked the default policy and indeed there was no ICMP inspection turned on.
UPDATE: The correct way to do this, (as pointed out below) is the use;
[box]system support ping {IP or Hostname}[/box]
-=-=-=- Back to the original post -=-=-=-
On checking the Firewall, (Note: The decrement-ttl-tcl isn’t really needed, I do that to make tracerts work).
[box]
Petes-FW(config)# policy-map global_policy Petes-FW(config-pmap)# class inspection_default Petes-FW(config-pmap-c)# inspect icmp Petes-FW(config-pmap-c)# class class-default Petes-FW(config-pmap-c)# set connection decrement-ttl Petes-FW(config-pmap-c)# exit Petes-FW(config-pmap)# exit Petes-FW(config)# write mem Building configuration... Cryptochecksum: ae83c992 52a79538 b8370d6f 36125070 3120 bytes copied in 0.290 secs [OK] Petes-FW(config)#
[/box]
Unfortunately it still didn’t work!
Solution
Some forum searching yielded the same error on other flavours of Linux, the fix there was to change some permissions, so I gave that a try, and it worked.
[box]
admin@Petes-SFR:~$ sudo chmod u+s /bin/ping We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password:{Your-SFR-Admin-Password} admin@Petes-SFR:~$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_req=1 ttl=52 time=12.8 ms 64 bytes from 8.8.8.8: icmp_req=2 ttl=52 time=13.7 ms 64 bytes from 8.8.8.8: icmp_req=3 ttl=52 time=12.6 ms 64 bytes from 8.8.8.8: icmp_req=4 ttl=52 time=13.2 ms
[/box]
Related Articles, References, Credits, or External Links
NA