topic Re: Pat is not working in Network Security

Pat is not working

Kasper Elsborg — Fri, 22 Jul 2022 18:09:51 GMT

Hello Community.

I have recent converted my Asa5516-x from Asa to FTD code and running it from a FMC

I have figured everything out, except the PAT part.

It was working on the ASA code, but I was not able to use the migtation tool, so I've started from scratch.

Currently there is a dynamic NAT rule, for many to one IP translation-> internet access for the client net.

Then I have a FTP server (Kasperstore) on 192.168.2.82 on the inside-security-zone, configuret to recieve sftp on tcp port 20000, from the outside-if on 192.168.0.254

When I run a packet-tracer I get the output:

Last login: Fri Jul 22 16:02:45 UTC 2022 from 192.168.3.198 on pts/0 Copyright 2004-2022, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. Cisco Firepower Extensible Operating System (FX-OS) v2.10.1 (build 192) Cisco ASA5516-X Threat Defense v7.0.2 (build 88) > packet-tracer input Outside_if esp gre icmp ipip rawip sctp tcp udp vlan-id > packet-tracer input Outside_if tcp 192.168.0.254 20000 192.168.2.82 20000 detailed Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512e878da70, priority=13, domain=capture, deny=false hits=4558667, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1688160, priority=1, domain=permit, deny=false hits=353698495, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: No ECMP load balancing Result: ALLOW Config: Additional Information: Destination is locally connected. No ECMP load balancing. Found next-hop 192.168.0.254 using egress ifc identity(vrfid:0) Phase: 4 Type: UN-NAT Subtype: static Result: ALLOW Config: object network Area51-outside-if nat (any,any) static Kasperstore service tcp 20000 20000 Additional Information: NAT divert to egress interface identity(vrfid:0) Untranslate 192.168.2.82/20000 to 192.168.0.254/20000 Phase: 5 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512e84ca950, priority=501, domain=permit, deny=true hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.0.254, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=any Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA

question is, what is the access-list that is dropping the packet?

I have made an extended access-list under objects

Br. Kasper

Re: Pat is not working

Rob Ingram — Fri, 22 Jul 2022 18:47:08 GMT

@Kasper Elsborg you need to configure the access in the Access Control Policy (ACP) not an extended ACL. The source port is likely dynamic , so use "any" not 20000. The destination port will obviously be static, so you can use 20000 for the destination port in the ACP.

Ideally your NAT rule interfaces should be more specific rather than "any". I.e. - nat (inside,Outside_if) ......

Your packet tracer source should be a random IP address, the destination IP address will be the NAT IP address, not the real IP address.

Re: Pat is not working

MHM Cisco World — Fri, 22 Jul 2022 19:00:46 GMT

if I am right route-lookup must add to this NAT.

Re: Pat is not working

Kasper Elsborg — Fri, 22 Jul 2022 20:59:38 GMT

@Rob Ingram thanks for taking the time

I think I have the ACP in place? my intention was to keep it as wide a possible due to troubleshooting?

maybe I did it wrong?

Br. Kasper

Re: Pat is not working

Kasper Elsborg — Fri, 22 Jul 2022 21:02:16 GMT

Hi, seems like this option is ruled out?

Br. Kasper

Re: Pat is not working

MHM Cisco World — Fri, 22 Jul 2022 21:14:13 GMT

same NAT but make the type

NAT auto before
and enable route-lookup

Re: Pat is not working

Marius Gunnerud — Fri, 22 Jul 2022 21:27:34 GMT

Your packet-tracer is not correct. It should look something like this:

packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.0.254 20000 detailed

You are simulating a packet passing through the firewall so the first IP is the source IP that you are testing from (if this is a specific IP then exchange 8.8.8.8 with the correct IP) and the destination is the NATed IP of the FTP server. You should then see a correct packet tracer which will give you more information on if the packet really is denied, allowed, etc.

Re: Pat is not working

Kasper Elsborg — Sat, 23 Jul 2022 08:20:58 GMT

Seems like I don't have that option?

Re: Pat is not working

Kasper Elsborg — Sat, 23 Jul 2022 08:23:06 GMT

Hi, and thanks for replying.

I am aware and I did change it after, but i dosn't change anything.

> packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.0.254 20000 detailed Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512e878da70, priority=13, domain=capture, deny=false hits=586897569, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1688160, priority=1, domain=permit, deny=false hits=644850555, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: No ECMP load balancing Result: ALLOW Config: Additional Information: Destination is locally connected. No ECMP load balancing. Found next-hop 192.168.0.254 using egress ifc identity(vrfid:0) Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false hits=757857, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any Phase: 5 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1689550, priority=0, domain=permit, deny=true hits=191254, user_data=0xb, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=any Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA

Re: Pat is not working

Rob Ingram — Sat, 23 Jul 2022 08:35:08 GMT

@Kasper Elsborg are you sure the source port is going to be port 20000? Usually it will be dynamic. Traffic would probably not hit the first rule, but rule #7.

Run "system support firewall-engine-debug" from the CLI of the FTD, filter on the destination IP address. Then generate traffic and observe the traffic flow and determine the source port and which rule it matches.

Provide the output of "show nat detail"

Re: Pat is not working

Kasper Elsborg — Sat, 23 Jul 2022 08:38:21 GMT

I've tried to make a manual nat->before

but I still don't have that option. also I don't know if I made the manual nat rule correct?

Re: Pat is not working

Kasper Elsborg — Sat, 23 Jul 2022 08:45:02 GMT

@Rob Ingram Yes I saw the error so I've change the source port to Any. but it didn't change anything. I will try and do your suggestions.

Re: Pat is not working

Kasper Elsborg — Sat, 23 Jul 2022 09:03:29 GMT

okay so I've tried the "system support forewall-engine-debug" with various option. I can get it to generate traffic if server is 192.168.2.82, which it the sftp server, among many services. however there is no traffic from the outside_if from my sftp client 192.168.0.232. and if I change

> system support firewall-engine-debug

Please specify an IP protocol: Please specify a client IP address: 192.168.0.232 Please specify a client port: Please specify a server IP address: Please specify a server port: Monitoring firewall engine debug messages

There is no output at all?

> show nat detail Manual NAT Policies (Section 1) 1 (any) to (any) source static Area51-outside-if Kasperstore service SVC_30064936305 SVC_30064936305 unidirectional translate_hits = 0, untranslate_hits = 0 Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32 Service - Origin: tcp destination eq 20000 , Translated: tcp destination eq 20000 Auto NAT Policies (Section 2) 1 (any) to (any) source static Area51-outside-if Kasperstore service tcp 20000 20000 translate_hits = 0, untranslate_hits = 5 Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32 Service - Protocol: tcp Real: 20000 Mapped: 20000 2 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface translate_hits = 381178, untranslate_hits = 9243 Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

Re: Pat is not working

Kasper Elsborg — Sat, 23 Jul 2022 14:16:44 GMT

@Rob Ingram

I've made a test ACP, with no rules other than a trust all. tested it, but no luck. still the same block. So I can pretty much rule out the the ACP rules

> system support firewall-engine-debug Please specify an IP protocol: icmp Please specify a client IP address: 192.168.3.198 Please specify a server IP address: Monitoring firewall engine debug messages 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session 192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session ^C Caught interrupt signal Exiting. > packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.0.254 20000 detailed Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512e878da70, priority=13, domain=capture, deny=false hits=591050297, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1688160, priority=1, domain=permit, deny=false hits=646912185, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: No ECMP load balancing Result: ALLOW Config: Additional Information: Destination is locally connected. No ECMP load balancing. Found next-hop 192.168.0.254 using egress ifc identity(vrfid:0) Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false hits=782289, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any Phase: 5 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1689550, priority=0, domain=permit, deny=true hits=198553, user_data=0xb, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=any Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA

Any suggestions?

Br. Kasper

Re: Pat is not working

Kasper Elsborg — Sat, 23 Jul 2022 19:54:08 GMT

I've got a bit further. It seems like the NAT rule was not created right. So i made a static manual NAT rule which I now can get a hit on in the packet-tracer. I also did a Packet capture from the FMC, that might help identify the problem, however I'm still stuck, so any suggestions are welcome.

NAT rule is attached

packet-tracer

> packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.2.82 20000 detailed Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512e878da70, priority=13, domain=capture, deny=false hits=594666507, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1688160, priority=1, domain=permit, deny=false hits=648705869, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (Inside_if,Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916 Additional Information: NAT divert to egress interface Inside_if(vrfid:0) Untranslate 192.168.2.82/20000 to 192.168.0.254/20000 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit tcp any any eq 20000 rule-id 268438530 access-list CSM_FW_ACL_ remark rule-id 268438530: ACCESS POLICY: Area51 ACP - Mandatory access-list CSM_FW_ACL_ remark rule-id 268438530: L7 RULE: SFTP-20000 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x1512f1c14250, priority=12, domain=permit, deny=false hits=1, user_data=0x1513064869c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=20000, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x1512e858dc50, priority=7, domain=conn-set, deny=false hits=12365, user_data=0x1512e8588fe0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=any Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (Inside_if,Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916 Additional Information: Static translate 8.8.8.8/20000 to 8.8.8.8/20000 Forward Flow based lookup yields rule: in id=0x1512f1b90e00, priority=6, domain=nat, deny=false hits=1, user_data=0x1512f1c86a60, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.2.82, mask=255.255.255.255, port=20000, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=Inside_if(vrfid:0) Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false hits=797708, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1690170, priority=0, domain=inspect-ip-options, deny=true hits=426601, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=any Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (Inside_if,Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916 Additional Information: Forward Flow based lookup yields rule: out id=0x1512f1ca96d0, priority=6, domain=nat-reverse, deny=false hits=2, user_data=0x1512f1c38780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.0.254, mask=255.255.255.255, port=20000, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=Inside_if(vrfid:0) Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false hits=797710, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x1512f1723170, priority=0, domain=inspect-ip-options, deny=true hits=423866, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Inside_if(vrfid:0), output_ifc=any Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 423777, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_tcp_proxy snp_fp_snort snp_fp_tcp_proxy snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_tcp_proxy snp_fp_snort snp_fp_tcp_proxy snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Phase: 13 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:2453855330, ruleMatch flag:0x5 MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 00:00:00:00:00:00 -> 78:72:5D:CE:BD:A0 0800 8.8.8.8:20000 -> 192.168.0.254:20000 proto 6 AS=0 ID=2 GR=1-1 Packet 15958: TCP ******S*, 07/23-19:39:09.389963, seq 531550506, dsize 0 Session: new snort session AppID: service: (0), client: (0), payload: (0), misc: (0) Firewall: trust/fastpath rule, id 268438530, allow Policies: Network 0, Inspection 0, Detection 3 Verdict: pass Snort Verdict: (pass-packet) allow this packet Phase: 15 Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP Subtype: Resolve Preferred Egress interface Result: ALLOW Config: Additional Information: Found next-hop 192.168.0.254 using egress ifc identity(vrfid:0) Phase: 16 Type: SUBOPTIMAL-LOOKUP Subtype: suboptimal next-hop Result: ALLOW Config: Additional Information: Input route lookup returned ifc identity is not same as existing ifc Inside_if Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up output-interface: Inside_if(vrfid:0) output-status: up output-line-status: up Action: drop Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000056182be6cf8c flow (NA)/NA

Show nat detail:

> show nat detail Manual NAT Policies (Section 1) 1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916 translate_hits = 2, untranslate_hits = 2 Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32 Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 Auto NAT Policies (Section 2) 1 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface translate_hits = 5333, untranslate_hits = 74 Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

The actually setup.

Inside net, are 192.168.1.0->192.168.3.0 routed with ospf on L3 switches, and the inside-if on the FTD.

FTD Outside -if are 192.168.0.254 connected to the ISP router on 192.168.0.1, but since I have no control over the routing here, the FTD is working the dynamic nat for the inside network. but this subnet also let me simulate outside traffic, so I have a sftp client on 192.168.2.232 connecting to FTD outside-if on 192.168.0.254:20000 to test the nat. the sftp server is connecting on 192.168.2.82:20000

the Packet capture from FMC when connecting from the sftp client just described:

13 packets captured 1: 19:50:06.510074 192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 2: 19:50:07.521304 192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 3: 19:50:09.523669 192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 4: 19:50:13.526034 192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 5: 19:50:21.530322 192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 6: 19:50:26.544985 192.168.0.232.17500 > 255.255.255.255.17500: udp 146 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: Found next-hop 255.255.255.255 using egress ifc identity(vrfid:0) Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA 7: 19:50:26.553483 192.168.0.232.17500 > 255.255.255.255.17500: udp 146 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: Found next-hop 255.255.255.255 using egress ifc identity(vrfid:0) Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA 8: 19:50:26.553544 192.168.0.232.17500 > 192.168.0.255.17500: udp 146 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: No ECMP load balancing Result: ALLOW Config: Additional Information: Destination is locally connected. No ECMP load balancing. Found next-hop 192.168.0.255 using egress ifc Outside_if(vrfid:0) Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up Action: drop Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000056182bf4a27b flow (NA)/NA 9: 19:50:26.555101 192.168.0.232.17500 > 255.255.255.255.17500: udp 146 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: Found next-hop 255.255.255.255 using egress ifc identity(vrfid:0) Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA 10: 19:50:26.555162 192.168.0.232.17500 > 255.255.255.255.17500: udp 146 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: Found next-hop 255.255.255.255 using egress ifc identity(vrfid:0) Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up output-interface: NP Identity Ifc Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA 11: 19:50:32.652996 192.168.0.232.54260 > 192.168.0.254.20000: S 2254202175:2254202175(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 12: 19:50:33.663616 192.168.0.232.54260 > 192.168.0.254.20000: S 2254202175:2254202175(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 13: 19:50:35.672221 192.168.0.232.54260 > 192.168.0.254.20000: S 2254202175:2254202175(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 13 packets shown

Br. Kasper

Re: Pat is not working

Kasper Elsborg — Sun, 24 Jul 2022 07:26:26 GMT

So from what I can see, this is no longer a ACP or NAT issue. From the packet-tracer I can see in the end.

Phase: 16 Type: SUBOPTIMAL-LOOKUP Subtype: suboptimal next-hop Result: ALLOW Config: Additional Information: Input route lookup returned ifc identity is not same as existing ifc Inside_if Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up output-interface: Inside_if(vrfid:0) output-status: up output-line-status: up Action: drop Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000056182be6cf8c flow (NA)/NA

which looks more like a routing problem. It leads me back to MHM Cisco World comment on enabling "route lookup" on the NAT config. But it is still grayed out. From what I can read in the guides and google, it should be alloved en firewall routing mode, which is the case.

fyi. I can produce the same output with both a manual and auto NAT rule.

Anyone have an idea why it is grayed out?

Re: Pat is not working

Marius Gunnerud — Sun, 24 Jul 2022 20:54:10 GMT

Could you provide screenshots of the complete NAT configuration (all sections if you please). Also, confirm the following:

Original source IP - 192.168.0.254

Translated source IP - 192.168.2.82

I highly doubt that route-lookup is the issue here as the NAT will use the the interfaces defined in the NAT configuration to determine which interfaces to send packets to, that is unless you have more than one interface configured in each of those security zones you have configured.

Re: Pat is not working

Kasper Elsborg — Mon, 25 Jul 2022 06:27:07 GMT

@Marius Gunnerud Yes of cause.

These is the lates configs. both the auto and manual rule. they both produce the same output from the packet-tracer.

they both recieve hits, when enabled.

first show nat detailed, is with the manual enabled, 2nd is with disabled, both recieve hits with the packet-tracer.

> > show nat detail Manual NAT Policies (Section 1) 1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916 translate_hits = 1, untranslate_hits = 1 Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32 Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 Auto NAT Policies (Section 2) 1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore service tcp 20000 20000 translate_hits = 0, untranslate_hits = 6 Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32 Service - Protocol: tcp Real: 20000 Mapped: 20000 2 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface translate_hits = 83526, untranslate_hits = 2066 Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24 > show nat detail Manual NAT Policies (Section 1) 1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916 inactive translate_hits = 0, untranslate_hits = 0 Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32 Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 Auto NAT Policies (Section 2) 1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore service tcp 20000 20000 translate_hits = 0, untranslate_hits = 7 Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32 Service - Protocol: tcp Real: 20000 Mapped: 20000 2 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface translate_hits = 85518, untranslate_hits = 2086 Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

Original source IP - 192.168.0.254 -> is the outside-if

Translated source IP - 192.168.2.82 -> is the SFTP-server on port 20000

Br. Kasper

Re: Pat is not working

Marius Gunnerud — Mon, 25 Jul 2022 13:28:00 GMT

Then this looks to be your problem.

You have the interface IP configured as the original source and the server IP as the translated source. Change these around and test again. If 192.168.0.254 is the interface IP of the FTD you will need to specify interface in the translated section instead of the object.

Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32

Re: Pat is not working

Kasper Elsborg — Mon, 25 Jul 2022 16:24:50 GMT

Hi Marius Gunnerud

I think I've already tried this. Now I'm not even reaching Snort engine, and the nat rule is not getting any hits.

edit*

in the former post I have posted the wrong screendumps- I've posted the dynamic NAT ones. So from here on I'll concentrate on the manual NAT rule, and change the orginal source, and translated source. But still it dosn't change anything

> packet-tracer input Outside_if tcp 192.168.0.232 20000 192.168.2.82 20000 detailed Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512e878da70, priority=13, domain=capture, deny=false hits=716207557, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1688160, priority=1, domain=permit, deny=false hits=709439557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Outside_if, output_ifc=any Phase: 3 Type: ROUTE-LOOKUP Subtype: No ECMP load balancing Result: ALLOW Config: Additional Information: Destination is locally connected. No ECMP load balancing. Found next-hop 192.168.2.82 using egress ifc Inside_if(vrfid:0) Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit tcp any any eq 20000 rule-id 268438530 access-list CSM_FW_ACL_ remark rule-id 268438530: ACCESS POLICY: Area51 ACP - Mandatory access-list CSM_FW_ACL_ remark rule-id 268438530: L7 RULE: SFTP-20000 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x1512f1c14250, priority=12, domain=permit, deny=false hits=22, user_data=0x1513064869c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=20000, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x1512e858dc50, priority=7, domain=conn-set, deny=false hits=16237, user_data=0x1512e8588fe0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=any Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false hits=1006888, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x1512f1690170, priority=0, domain=inspect-ip-options, deny=true hits=564137, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=any Phase: 8 Type: NAT Subtype: rpf-check Result: DROP Config: nat (Inside_if,Outside_if) source static Kasperstore interface service SVC_30064977916 SVC_30064977916 Additional Information: Forward Flow based lookup yields rule: out id=0x1512e897fbc0, priority=6, domain=nat-reverse, deny=false hits=2, user_data=0x1512f182ff80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.2.82, mask=255.255.255.255, port=20000, tag=any, dscp=0x0, nsg_id=none input_ifc=Outside_if(vrfid:0), output_ifc=Inside_if(vrfid:0) Result: input-interface: Outside_if(vrfid:0) input-status: up input-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf456a5 flow (NA)/NA > show nat detail Manual NAT Policies (Section 1) 1 (Inside_if) to (Outside_if) source static Kasperstore interface service SVC_30064977916 SVC_30064977916 translate_hits = 0, untranslate_hits = 0 Source - Origin: 192.168.2.82/32, Translated: 192.168.0.254/24 Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 Auto NAT Policies (Section 2) 1 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface translate_hits = 138968, untranslate_hits = 3856 Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

br. Kasper