The best way to find possible problems with the ASA configurations is to use the "packet-tracer" command. This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT
For a connection coming from behind "outside" you can use this format of the command
To test anything else you naturally just switch the "input <interface name>" to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.
Taking the output of the following commands should help you to troubleshoot possible problems
You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.
If you are doing Dynamic PAT from "inside" to "dmz" then you should remove the above "static" commands that refer to "(inside,dmz)" then user wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why Dynamic PAT is not encouraged between local interfaces. It causes complexity for the NAT configurations when user have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT
For the "management" interface you probably need any new NAT configuration.
The Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.
Hello,A Client is having trouble sending mail to a domain which has changed in a recent times.Our EPS when sending to domain carlos@newdomain is instead sending to carlos@olddomain. We are aware that this may be a problem with outlook itself,but is i...
Hello,I have 887va that's connected and working but for some reason, i cannot ssh to cisco from wanI have access-class match in on vty 0 4 the access-list allowing ssh to cisco from lan subnet and remote static ipbut i when i try to ssh i have timeou...
Hi Guys,I have upgraded the 2 HA Fmc to 7.01 and started deploying to the Ftd’s it completed ok but I got disconnected from the Fmc and had to log in as a different local user. , After I did that I tried deploying an upgrade/patch to another device but no...
I have a firepower device and I want to manage it (HTTPS,SSH) over an anyconnect remote vpn connection.
I tried to use the management-access <interface> command, but it shows as 'blacklisted' in firepower.
So is there any other way to achieve...
Has anyone ever implemented it on the Edge router/firewall? I put it about five (5) years ago, and never got any hit.Here is the link: https://team-cymru.org/Services/Bogons/fullbogons-ipv6.txt I thought it was useless back then, but I do not kn...