https://community.cisco.com/t5/network-security/ftd-external-access-for-anyconnect-issues/m-p/4080543#M1069919 <P>I have setup Remote VPN on a Cisco ASA 5515-x running FTD.&nbsp; I am unable to ping the external interface but i am able to ping out.&nbsp; The NAT is setup correctly as i can tell.&nbsp; i am also unable to ping the external interface.&nbsp; I do see connection coming in as well on the capture. Below is what i have.</P><P>&nbsp;</P><P>NAT</P><P>object network any-ip<BR />nat (inside,outside) static interface</P><P>&nbsp;</P><P>Capture</P><P>1: 14:29:54.773580 <FONT color="#FF6600"><EM><STRONG>X.X.X.X</STRONG></EM></FONT>.3736 &gt; <FONT color="#3366FF"><EM><STRONG>Y.Y.Y.Y</STRONG></EM></FONT>.443: S 1041542606:1041542606(0) win 64240 &lt;mss 1380,nop,wscale 8,nop,nop,sackOK&gt;<BR />Phase: 1<BR />Type: CAPTURE<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 3<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />object network any-ip<BR />nat (inside,outside) static interface<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate <FONT color="#3366FF"><EM><STRONG>Y.Y.Y.Y</STRONG></EM></FONT>/443 to 0.0.0.0/443</P><P>Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: DROP<BR />Config:<BR />access-group CSM_FW_ACL_ global<BR />access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268455992 event-log flow-start<BR />access-list CSM_FW_ACL_ remark rule-id 268455992: ACCESS POLICY: usjgxxx-fw03 - Default<BR />access-list CSM_FW_ACL_ remark rule-id 268455992: L4 RULE: DEFAULT ACTION RULE<BR />Additional Information:</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P> Wed, 06 May 2020 14:44:49 GMT tkraft 2020-05-06T14:44:49Z https://community.cisco.com/t5/network-security/ftd-external-access-for-anyconnect-issues/m-p/4080543#M1069919 <P>I have setup Remote VPN on a Cisco ASA 5515-x running FTD.&nbsp; I am unable to ping the external interface but i am able to ping out.&nbsp; The NAT is setup correctly as i can tell.&nbsp; i am also unable to ping the external interface.&nbsp; I do see connection coming in as well on the capture. Below is what i have.</P><P>&nbsp;</P><P>NAT</P><P>object network any-ip<BR />nat (inside,outside) static interface</P><P>&nbsp;</P><P>Capture</P><P>1: 14:29:54.773580 <FONT color="#FF6600"><EM><STRONG>X.X.X.X</STRONG></EM></FONT>.3736 &gt; <FONT color="#3366FF"><EM><STRONG>Y.Y.Y.Y</STRONG></EM></FONT>.443: S 1041542606:1041542606(0) win 64240 &lt;mss 1380,nop,wscale 8,nop,nop,sackOK&gt;<BR />Phase: 1<BR />Type: CAPTURE<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 3<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />object network any-ip<BR />nat (inside,outside) static interface<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate <FONT color="#3366FF"><EM><STRONG>Y.Y.Y.Y</STRONG></EM></FONT>/443 to 0.0.0.0/443</P><P>Phase: 4<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: DROP<BR />Config:<BR />access-group CSM_FW_ACL_ global<BR />access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268455992 event-log flow-start<BR />access-list CSM_FW_ACL_ remark rule-id 268455992: ACCESS POLICY: usjgxxx-fw03 - Default<BR />access-list CSM_FW_ACL_ remark rule-id 268455992: L4 RULE: DEFAULT ACTION RULE<BR />Additional Information:</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P> Wed, 06 May 2020 14:44:49 GMT https://community.cisco.com/t5/network-security/ftd-external-access-for-anyconnect-issues/m-p/4080543#M1069919 tkraft 2020-05-06T14:44:49Z https://community.cisco.com/t5/network-security/ftd-external-access-for-anyconnect-issues/m-p/4080647#M1069920 <P>It's unclear what you're trying to do.</P> <P>You talk about pinging but then present a packet capture for tcp/443.</P> <P>Could you explain the issue more clearly?</P> Wed, 06 May 2020 16:25:40 GMT https://community.cisco.com/t5/network-security/ftd-external-access-for-anyconnect-issues/m-p/4080647#M1069920 Marvin Rhoads 2020-05-06T16:25:40Z https://community.cisco.com/t5/network-security/ftd-external-access-for-anyconnect-issues/m-p/4081293#M1069952 <P>Pings to the External Interface of the ASA are controlled not with Access lists but the icmp permit command. Pings through the ASA are allowed with an ACL and a NAT</P> Thu, 07 May 2020 14:39:00 GMT https://community.cisco.com/t5/network-security/ftd-external-access-for-anyconnect-issues/m-p/4081293#M1069952 Michael ONeil 2020-05-07T14:39:00Z