Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3102
Views
10
Helpful
2
Replies

FTD VPN access from inside

voipleo
Level 1
Level 1

‎06-29-2020 04:11 AM

We need to access FTD's outside interface from inside for monitoring and troubleshooting. I've set up dynamic NAT and nated IP differs from outside IP but in the same network. I can access external IPs except FTD's. 

Packet tracer output

 

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: LAN(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x000000aabaa72f24 flow (NA)/NA

On ASA there was "same-security-traffic permit intra-interface" setting but it is not actual for FTD because traffic should be allowed. Please tell what to check else.

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-29-2020 04:15 AM

Neither ASA nor FTD will allow you to access an interface address other than the one used for ingress.

0 Helpful

Rob Ingram
VIP
VIP

‎06-29-2020 04:21 AM

Hi,

The command "same-security-traffic permit intra-interface" is enabled as default on FTD and it doesn't do what you require.

You can only access the ASA/FTD from the ingress interface, if connected on the inside interface, then you can only manage on the "inside" interface.

 

HTH

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card