05-06-2020 07:44 AM
I have setup Remote VPN on a Cisco ASA 5515-x running FTD. I am unable to ping the external interface but i am able to ping out. The NAT is setup correctly as i can tell. i am also unable to ping the external interface. I do see connection coming in as well on the capture. Below is what i have.
NAT
object network any-ip
nat (inside,outside) static interface
Capture
1: 14:29:54.773580 X.X.X.X.3736 > Y.Y.Y.Y.443: S 1041542606:1041542606(0) win 64240 <mss 1380,nop,wscale 8,nop,nop,sackOK>
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network any-ip
nat (inside,outside) static interface
Additional Information:
NAT divert to egress interface inside
Untranslate Y.Y.Y.Y/443 to 0.0.0.0/443
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268455992 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268455992: ACCESS POLICY: usjgxxx-fw03 - Default
access-list CSM_FW_ACL_ remark rule-id 268455992: L4 RULE: DEFAULT ACTION RULE
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
05-07-2020 07:39 AM
Pings to the External Interface of the ASA are controlled not with Access lists but the icmp permit command. Pings through the ASA are allowed with an ACL and a NAT
05-06-2020 09:25 AM
It's unclear what you're trying to do.
You talk about pinging but then present a packet capture for tcp/443.
Could you explain the issue more clearly?
05-07-2020 07:39 AM
Pings to the External Interface of the ASA are controlled not with Access lists but the icmp permit command. Pings through the ASA are allowed with an ACL and a NAT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide