topic Re: Firepower 1010 Port Forward Struggle in Network Access Control

Firepower 1010 Port Forward Struggle

Edgieace — Sun, 28 Jul 2024 13:56:08 GMT

Hi guys,

I have been struggling on this for days, I have a nginx web app running on my server(192.168.10.5) that I am trying to port forward it to be accessible on the internet. I was able to do a port forward easily if I were to do a direct connection from my computer -> switch -> ISP modem.

But if I put it behind the firewall (Firepower 1010 Series) I am struggling it always says that my port is closed.

The network diagram look like this(with only the vlan10 that is shown):

this is the route table:

Access-list:

NAT:

I also encountered something that might be a factor on the problem, is that when I ping the firewall outside interface(192.168.1.8) from my server (192.168.10.5) it result me in time out but I can ping the gateway(192.168.1.1) and other device that are connected on the ISP modem.

If I ping inside the firewall cli, I can ping everything all right.

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Sun, 28 Jul 2024 14:06:34 GMT

Can you run packet tracer for this traffic and share it here

MHM

Re: Firepower 1010 Port Forward Struggle

Edgieace — Sun, 28 Jul 2024 14:29:19 GMT

I tried packet-tracer on both the tcp and icmp protoctol but result into command execution failed. but I did a packet tracer on udp:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 36270 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.8 using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6858 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc inside any any rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: block sites
object-group service |acSvcg-268435459
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x1497286f8de0, priority=12, domain=permit, deny=false
hits=11724, user_data=0x14971ac33880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6858 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 192.168.10.5/12345 to 192.168.1.8/12345
Forward Flow based lookup yields rule:
in id=0x1497286c35c0, priority=6, domain=nat, deny=false
hits=1634724, user_data=0x1497292fbb40, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6858 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14972637f010, priority=0, domain=nat-per-session, deny=true
hits=1572321, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6858 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x149727e1cb80, priority=0, domain=inspect-ip-options, deny=true
hits=2544125, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 23250 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x149728bd41d0, priority=6, domain=nat-reverse, deny=false
hits=1633023, user_data=0x149728eba240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 86952 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Sun, 28 Jul 2024 17:29:24 GMT

Remove static NAT

And add below

Source interface:- IN

Destiantion interface:- OUT

Real

Source IP :- server private IP

Destiantion IP :- Any

Source Port :- http

Mapped

Source IP :- server public IP

Destiantion IP :- ANY

Source Port :- http

MHM

Re: Firepower 1010 Port Forward Struggle

Edgieace — Sun, 28 Jul 2024 22:20:04 GMT

Thank you for this, but I tried it still not working, I am still encountering this connection log whenever I try to access my web app through my public ip.

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Sun, 28 Jul 2024 22:24:48 GMT

Share last NAT

And packet tracer (it direction must be from outside to inside)

MHM

Re: Firepower 1010 Port Forward Struggle

Edgieace — Sun, 28 Jul 2024 22:35:45 GMT

show nat

Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (inside) source static nlp_server__http_0.0.0.0_intf3 interface destination static 0_0.0.0.0_12 0_0.0.0.0_12 service tcp https https
translate_hits = 13905, untranslate_hits = 13910
2 (nlp_int_tap) to (inside) source static nlp_server__ssh_0.0.0.0_intf3 interface destination static 0_0.0.0.0_13 0_0.0.0.0_13 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source static nlp_server__ssh_::_intf3 interface ipv6 destination static 0_::_14 0_::_14 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_0.0.0.0_6proto22_intf3 interface destination static nlp_client_0_ipv4_14 nlp_client_0_ipv4_14 service nlp_client_0_6svc22_13 nlp_client_0_6svc22_13
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_::_6proto22_intf3 interface ipv6 destination static nlp_client_0_ipv6_16 nlp_client_0_ipv6_16 service nlp_client_0_6svc22_15 nlp_client_0_6svc22_15
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any-ipv4 interface
translate_hits = 1659656, untranslate_hits = 7197

packet-tracer input outside udp 192.168.1.8 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 35340 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 9300 ns
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 44640 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d087fbe flow (NA)/NA

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Sun, 28 Jul 2024 22:48:16 GMT

Sorry

Share NAT table from fmc(or fdm) not from cli

Also packet tracer do you use server real IP or mapped IP?

MHM

Re: Firepower 1010 Port Forward Struggle

Edgieace — Sun, 28 Jul 2024 23:57:58 GMT

FDM nat table

here is the packet tracer, using my mapped IP.

packet-tracer input outside udp 119.93.x.x 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 36270 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8680 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8680 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8680 ns
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 31155 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 93465 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d090230 flow (NA)/NA

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Mon, 29 Jul 2024 00:08:13 GMT

packet-tracer input outside tcp 119.93.x.x 12345 192.168.10.5 80

You need to use tcp not udp for http traffic

192.168.10.5 this server mapped IP?

MHM

Re: Firepower 1010 Port Forward Struggle

Edgieace — Mon, 29 Jul 2024 00:15:07 GMT

yes that's the server mapped IP.

this is the packet tracer result:

packet-tracer input outside tcp 119.93.x.x 12345 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 32085 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8525 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8525 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8525 ns
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 33015 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 90675 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d090230 flow (NA)/NA

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Mon, 29 Jul 2024 00:37:39 GMT

packet-tracer input inside tcp 192.168.10.5 80 119.93.x.x 12345 <<- share this please

Thanks

MHM

Re: Firepower 1010 Port Forward Struggle

Edgieace — Mon, 29 Jul 2024 02:07:04 GMT

thanks here it is:

> packet-tracer input inside tcp 192.168.10.5 80 119.93.x.x 12345

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 20460 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 20925 ns
Config:
Additional Information:
Found next-hop 192.168.1.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8137 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc inside any any rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: block sites
object-group service |acSvcg-268435459
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 8137 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:
Static translate 192.168.10.5/80 to 119.93.252.113/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8137 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8137 ns
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 27435 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 101368 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Mon, 29 Jul 2024 17:58:39 GMT

Re: Firepower 1010 Port Forward Struggle

Edgieace — Mon, 29 Jul 2024 18:30:13 GMT

192.168.10.5(server private ip) belongs to the VLAN 10 network that I have created on the switch, where the 1st port of the sw is being trunked(vlan1). and the 2nd port(access/vlan10) is connected to the firewall(eth1/2), and in the firewall the eth1/2 belongs to the default vlan1 interface where the eth1/2 is being trunked. below are the configuration I have on my fdm.

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Tue, 30 Jul 2024 01:07:47 GMT

so the real server IP is 192.168.10.5 and it must mapped to 192.168.1.5 ?
if that config then it correct
but I think you swap IP because I ask if 192.168.10.5 is mapped ip you mention Yes !!

MHM

Re: Firepower 1010 Port Forward Struggle

Edgieace — Wed, 31 Jul 2024 04:52:16 GMT

I see,

when I added this NAT.

and did a

packet-tracer input inside tcp 192.168.10.5 80 119.93.x.x 80

it was successful

but when I packet trace outside it resulted on this

packet-tracer input outside tcp 119.93.x.x 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 40455 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 7672 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside any ifc inside any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: allow-http-to-server
object-group service |acSvcg-268435464
service-object tcp source eq www destination eq www
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 7672 ns
Config:
nat (outside,inside) source static public-ip server-ip service _|NatOrigSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d _|NatMappedSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d
Additional Information:
Static translate 119.93.x.x/80 to 192.168.10.5/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 7672 ns
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 7672 ns
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 27435 ns
Config:
nat (outside,inside) source static public-ip server-ip service _|NatOrigSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d _|NatMappedSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 98578 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

Re: Firepower 1010 Port Forward Struggle

Jonatan Jonasson — Wed, 31 Jul 2024 06:29:10 GMT

Based on your diagram and the dynamic NAT config on the FTD, it looks like the public IP address is assigned to the ISP modem, and you're doing port forwarding there as well to make this chain work?

If so, what is the port-forwarding setup in the ISP modem, is that public IP -> 192.168.10.5?
If so, assuming that the ISP modem has a route for 192.168.10.0/24 -> 192.168.1.8, the only NAT you would need on the FTD device would be a static NAT from 192.168.10.5 <-> 192.168.10.5 (since the dynamic NAT is going to cover everything else)

If the ISP modem does not have a route for 192.168.10.0/24, the config on the FTD should be NAT from 192.168.10.5 -> 192.168.1.x, either the interface address or any other address on that network, and that address should then be represented in the port forwarding config in the ISP modem.

Unless you can get the public IP (119.93.x.x) routed from the ISP modem and down to the FTD device. you would not be referencing the public IP on the FTD device.

So if you can clarify this part of the setup it would help in seeing which config is needed for this to work.

Re: Firepower 1010 Port Forward Struggle

Edgieace — Wed, 31 Jul 2024 09:01:08 GMT

Hi Jonathan, yes the port forwarding that is setup on the ISP modem is this

Public: 119.93.x.x port 80 -> Private: 192.168.1.8 port 80 (Firewall Outside Interface IP)

since the ISP modem does not have a route for 192.168.10.0/24

the problem I have is that when I ping from my server (192.168.10.5) to 192.168.1.8, it timed me out. I tried to create an inside,outside NAT for 192.168.10.5 -> 192.168.1.8 but the deployment failed it says that it overlaps with outside interface address.

Re: Firepower 1010 Port Forward Struggle

MHM Cisco World — Wed, 31 Jul 2024 10:13:32 GMT

friend
FYI in your case the real IP of server 192.168.10.5
mapped IP of server is interface (only port 80 for server)
do below config it will work