Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1188
Views
0
Helpful
2
Replies

FTD external access for anyconnect issues

Go to solution
tkraft
Level 1
Level 1

‎05-06-2020 07:44 AM

I have setup Remote VPN on a Cisco ASA 5515-x running FTD.  I am unable to ping the external interface but i am able to ping out.  The NAT is setup correctly as i can tell.  i am also unable to ping the external interface.  I do see connection coming in as well on the capture. Below is what i have.

 

NAT

object network any-ip
nat (inside,outside) static interface

 

Capture

1: 14:29:54.773580 X.X.X.X.3736 > Y.Y.Y.Y.443: S 1041542606:1041542606(0) win 64240 <mss 1380,nop,wscale 8,nop,nop,sackOK>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network any-ip
nat (inside,outside) static interface
Additional Information:
NAT divert to egress interface inside
Untranslate Y.Y.Y.Y/443 to 0.0.0.0/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268455992 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268455992: ACCESS POLICY: usjgxxx-fw03 - Default
access-list CSM_FW_ACL_ remark rule-id 268455992: L4 RULE: DEFAULT ACTION RULE
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michael ONeil
Level 1
Level 1

‎05-07-2020 07:39 AM

Pings to the External Interface of the ASA are controlled not with Access lists but the icmp permit command. Pings through the ASA are allowed with an ACL and a NAT

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-06-2020 09:25 AM

It's unclear what you're trying to do.

You talk about pinging but then present a packet capture for tcp/443.

Could you explain the issue more clearly?

0 Helpful

Go to solution
Michael ONeil
Level 1
Level 1

‎05-07-2020 07:39 AM

Pings to the External Interface of the ASA are controlled not with Access lists but the icmp permit command. Pings through the ASA are allowed with an ACL and a NAT

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card