The best way to find possible problems with the ASA configurations is to use the "packet-tracer" command. This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT
For a connection coming from behind "outside" you can use this format of the command
To test anything else you naturally just switch the "input <interface name>" to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.
Taking the output of the following commands should help you to troubleshoot possible problems
You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.
If you are doing Dynamic PAT from "inside" to "dmz" then you should remove the above "static" commands that refer to "(inside,dmz)" then user wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why Dynamic PAT is not encouraged between local interfaces. It causes complexity for the NAT configurations when user have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT
For the "management" interface you probably need any new NAT configuration.
The Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.
Hello Everyone, I am wondering if we can push Cloud Umbrella logs into Cisco Threat Response so that when we search for a domain in threat response we see all the attempts to that domain with user details etc. RegardsRavi
Hi, Setting up site to site VPN from ASA 5555 (FTD) to a clients firewall. Do I use the firewalls Outside interface IP address as VPN source IP NAT or an IP from the ISP assigned public range? Also will the private host IPs be NAT'd as the sour...
Currently we have Mx pointed to our Ironport ESA with an LDAP accept query to validate recipients. We also have SMTP routes to go to our on-premise Exchange servers. We have moved all our mailboxes to Exchange online and want to move our SMTP ...
Hello,I have a task as below, but encountered an issue. Please help me.Task: Anyconnect user uses two factor authentication, Duo and ISE internal accountScenario: AAA on ASA points to Duo Proxy server and Duo Proxy server authenticates to ISE radius serve...
Hi all. I'm new to the ASA devices. I have an ASA5512 plugged into a business router trying to get VPN access to a secondary network. I cant seem to get the anyconnect web launch to be found. is what i'm trying to do even possible. The last time I set one...