cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

846
Views
0
Helpful
2
Replies
tkraft
Beginner

FTD external access for anyconnect issues

I have setup Remote VPN on a Cisco ASA 5515-x running FTD.  I am unable to ping the external interface but i am able to ping out.  The NAT is setup correctly as i can tell.  i am also unable to ping the external interface.  I do see connection coming in as well on the capture. Below is what i have.

 

NAT

object network any-ip
nat (inside,outside) static interface

 

Capture

1: 14:29:54.773580 X.X.X.X.3736 > Y.Y.Y.Y.443: S 1041542606:1041542606(0) win 64240 <mss 1380,nop,wscale 8,nop,nop,sackOK>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network any-ip
nat (inside,outside) static interface
Additional Information:
NAT divert to egress interface inside
Untranslate Y.Y.Y.Y/443 to 0.0.0.0/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268455992 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268455992: ACCESS POLICY: usjgxxx-fw03 - Default
access-list CSM_FW_ACL_ remark rule-id 268455992: L4 RULE: DEFAULT ACTION RULE
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

1 ACCEPTED SOLUTION

Accepted Solutions
Michael ONeil
Beginner

Pings to the External Interface of the ASA are controlled not with Access lists but the icmp permit command. Pings through the ASA are allowed with an ACL and a NAT

View solution in original post

2 REPLIES 2
Marvin Rhoads
Hall of Fame Guru

It's unclear what you're trying to do.

You talk about pinging but then present a packet capture for tcp/443.

Could you explain the issue more clearly?

Michael ONeil
Beginner

Pings to the External Interface of the ASA are controlled not with Access lists but the icmp permit command. Pings through the ASA are allowed with an ACL and a NAT

View solution in original post

Content for Community-Ad