cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

183
Views
10
Helpful
2
Replies
Highlighted
Beginner

FTD VPN access from inside

We need to access FTD's outside interface from inside for monitoring and troubleshooting. I've set up dynamic NAT and nated IP differs from outside IP but in the same network. I can access external IPs except FTD's. 

Packet tracer output

 

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: LAN(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000000aabaa72f24 flow (NA)/NA

On ASA there was "same-security-traffic permit intra-interface" setting but it is not actual for FTD because traffic should be allowed. Please tell what to check else.

2 REPLIES 2
Highlighted
Hall of Fame Guru

Re: FTD VPN access from inside

Neither ASA nor FTD will allow you to access an interface address other than the one used for ingress.

Highlighted
VIP Advisor

Re: FTD VPN access from inside

Hi,

The command "same-security-traffic permit intra-interface" is enabled as default on FTD and it doesn't do what you require.

You can only access the ASA/FTD from the ingress interface, if connected on the inside interface, then you can only manage on the "inside" interface.

 

HTH