I'm thinking that if it was a policy then it would block them all. But you could check Intrusion Events on FMC to see if packets are being dropped for some reason. Is there any chance the routes are changing (due to express route or some other caus...
The setup and route config you describe all sounds right to me.
But the debug showing the ping packet coming in on the outside interface makes it seem like something is swapped somewhere.
For myself, my next step would be to double check:
- The ef...
AH! ok.
In that case, it would be good to check the effective routes on the "inside" subnets. Make sure the route pointing to FTDv's "inside" interface wins in the "effective route table". You may need a UDR that is more specific than the route...
That sounds right... just to summarize (and add one short cut)
- FTDv would need a route to 0.0.0.0/0 over its "outside" interface with next hop ".1" on the outside subnet.
- Azure outside subnet already has a default route to the internet for 0.0....
In general, the Azure route tables/UDRs determine what next-hop is used for any given packet. So for traffic you want to route through FTDv, you'd set a UDR route with a next-hop of the FTDv IP. Inside FTDv we set the route on a particular interf...