06-29-2020 04:11 AM
We need to access FTD's outside interface from inside for monitoring and troubleshooting. I've set up dynamic NAT and nated IP differs from outside IP but in the same network. I can access external IPs except FTD's.
Packet tracer output
Phase: 2 Type: Pix security check Subtype: Result: ALLOW Config: Additional Information: PIX security check: user is not allowed to access a firewall interface from a network that is connected to another interface Result: input-interface: LAN(vrfid:0) input-status: up input-line-status: up Action: drop Drop-reason: (no-route) No route to host, Drop-location: frame 0x000000aabaa72f24 flow (NA)/NA
On ASA there was "same-security-traffic permit intra-interface" setting but it is not actual for FTD because traffic should be allowed. Please tell what to check else.
06-29-2020 04:15 AM
Neither ASA nor FTD will allow you to access an interface address other than the one used for ingress.
06-29-2020 04:21 AM
Hi,
The command "same-security-traffic permit intra-interface" is enabled as default on FTD and it doesn't do what you require.
You can only access the ASA/FTD from the ingress interface, if connected on the inside interface, then you can only manage on the "inside" interface.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide