Loading...
Loading...
From the capture this can be seen: Source: 192.168.70.1 Destination 10.1.1.200 (Outside interface) Dest port 22(ssh). Logs obtained from tests: ***When it fails*** firepower# show cap capin tr pa 1 <-- lines omitted by brevity. 1: 19:19:28.117028 192.168.70.1.62372 > 10.1.1.200.22: SWE 1362881849:1362881849(0) win 8192 Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (nlp_int_tap,outside) source static nlp_server__ssh_192.168.70.1_intf4 interface destination static 0_192.168.70.1_1 0_192.168.70.1_1 Additional Information: NAT divert to egress interface nlp_int_tap(vrfid:0) Untranslate 10.1.1.200/22 to 169.254.1.2/22 Result: input-interface: outside(vrfid:0) input-status: up input-line-status: up output-interface: nlp_int_tap(vrfid:0) output-status: up output-line-status: up Action: allow 1 packet shown firepower# Even though the capture shows traffic being allowed the FTD does not reply to the SYN packet.
FTD any platform version 7.0.1 FTD Configured to receive SSH management traffic on the Outside Interface Policy-based IPSEC tunnel configured on the FTD, IPSEC landed on the Outside interface It can be observed that when traffic is sourced by IP included in the CRYPTOACL going to the outside it fails, When traffic is sourced by an IP not included in the CRYPTOACL works.
SSH from a host not included in the CRYPTOMAP.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.