topic Re: Azure vFTD NAT rule in Network Security

Azure vFTD NAT rule

amitspanchal — Sun, 28 Apr 2024 14:28:12 GMT

We have deployed a vFTD on the Azure environment. The configuration of the firewall is as follows.

inside interface ip : 10.2.2.4/24

outside interface ip : 10.2.1.4/24

internal server ip : 10.0.0.6

Also the firewall is able to ping to the server from its inside interface.

Now we want to configure the server to be accessible from the internet. So we have created a NAT rule for it.

TCP PAT from inside:10.0.0.6 8443-8443 to outside:10.2.1.4 8443-8443

And also created a Access rule to allow connections from outside towards this server. But still we are unable to access the server from outside.

Below packet tracer snap.

> packet-tracer input outside tcp 1.1.1.1 8443 10.0.0.6 8443

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 25917 ns
Config:
Additional Information:
Found next-hop 10.2.2.1 using egress ifc inside(vrfid:0)

Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 0
Destination Object Group Match Count: 1
Object Group Search: 0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 244 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc outside any ifc inside object Prod_KeyClock object-group 8443_port rule-id 268434437
access-list CSM_FW_ACL_ remark rule-id 268434437: ACCESS POLICY: Default Access Control Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434437: L7 RULE: Server_Access
object-group service 8443_port tcp
port-object eq 8443
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 244 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 244 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 244 ns
Config:
Additional Information:

Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 18093 ns
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 4890 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 49876 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558b65312829 flow (NA)/NA

Also a public IP has been assigned to the firewall in Azure.

Re: Azure vFTD NAT rule

balaji.bandi — Sun, 28 Apr 2024 16:18:20 GMT

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP

you have DROP here, can you post relevant config NAT and ACL to look

check some example :

https://www.petenetlive.com/KB/Article/0000904

Re: Azure vFTD NAT rule

MHM Cisco World — Sun, 28 Apr 2024 16:25:43 GMT

Wrong packet tracer

> packet-tracer input outside tcp 1.1.1.1 12345 10.2.1.4 8443 detail

Share about of above

MHM

Re: Azure vFTD NAT rule

amitspanchal — Sun, 28 Apr 2024 16:32:07 GMT

> packet-tracer input outside tcp 1.1.1.1 12345 10.2.1.4 8443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 21516 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate 10.2.1.4/8443 to 10.0.0.6/8443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 195 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc outside any ifc inside object Prod_KeyClock object-group 8443_port rule-id 268434437
access-list CSM_FW_ACL_ remark rule-id 268434437: ACCESS POLICY: Default Access Control Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434437: L7 RULE: Server_Access
object-group service 8443_port tcp
port-object eq 8443
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Static translate 1.1.1.1/12345 to 1.1.1.1/12345

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:

Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 14670 ns
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 4890 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:

Phase: 10
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 31785 ns
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 489 ns
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 12714 ns
Config:
Additional Information:
New flow created with id 1360, packet dispatched to next module

Phase: 14
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 42543 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 15
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 229552 ns
Config:
Network 0, Inspection 0, Detection 0, Rule ID 268434437
Additional Information:
Starting rule matching, zone 1 -> 2, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268434437 - Allow

Phase: 16
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 19534 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)

Phase: 17
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 5868 ns
Config:
Additional Information:
Found next-hop 10.2.2.1 using egress ifc inside(vrfid:0)

Phase: 18
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 1467 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.2.2.1 on interface inside
Adjacency :Active
MAC address 1234.5678.9abc hits 26 reference 1

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 386003 ns

By the way which you said me the result is showing me allow. So what could be the reason that the server is not accessible from outside.

Re: Azure vFTD NAT rule

MHM Cisco World — Sun, 28 Apr 2024 16:40:22 GMT

Do test again and share result' some times packet tracer need to run twice to show where packet drop.

Also

Do show arp

Check is IP-MAC is correct or not

Last point the next-hop is in different subnet than server ???

Next-hop 10.2.2.1 on interface inside
Adjacency :Active
MAC address 1234.5678.9abc hits 26 reference 1

Re: Azure vFTD NAT rule

amitspanchal — Sun, 28 Apr 2024 16:50:28 GMT

Have run the test again and this time also the result showed success.

Also I had done show arp but didn't got any arp entry for that IP. But I am able to ping 10.0.0.6 from the firewall.

> ping interface inside 10.0.0.6
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
> show arp
outside 10.2.1.1 1234.5678.9abc 11273
inside 10.2.2.1 1234.5678.9abc 3075
>

The next hop to the server network is in the same network of the inside interface network.

> show route 10.0.0.6

Routing entry for 10.0.0.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.2.2.1, via inside
Route metric is 0, traffic share count is 1

Re: Azure vFTD NAT rule

MHM Cisco World — Sun, 28 Apr 2024 17:15:49 GMT

This inside L3 device 10.2.2.1 have defualt route toward FTD?

MHM

Re: Azure vFTD NAT rule

amitspanchal — Sun, 28 Apr 2024 17:21:40 GMT

yes it has default route towards firewall

Re: Azure vFTD NAT rule

MHM Cisco World — Sun, 28 Apr 2024 17:29:22 GMT

> packet-tracer input inside tcp 10. 0.0.6 8443 1.1.1.1 12345 details

There nothing wrong as I see form OUT to IN

Check from IN to OUT

Re: Azure vFTD NAT rule

amitspanchal — Sun, 28 Apr 2024 17:34:43 GMT

> packet-tracer input inside tcp 10.0.0.6 8443 1.1.1.1 12345 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 13203 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f89c01be30, priority=1, domain=permit, deny=false
hits=239, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 17604 ns
Config:
Additional Information:
Found next-hop 10.2.1.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 1
Object Group Search: 1

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 195 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc inside object-group FMC_INLINE_src_rule_268434433 ifc outside any rule-id 268434433
access-list CSM_FW_ACL_ remark rule-id 268434433: ACCESS POLICY: Default Access Control Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434433: L7 RULE: Internet-rULE
object-group network FMC_INLINE_src_rule_268434433(hitcnt=138, id=4026531842)
network-object object Hobasa_Prod_Vnet_Network_1(hitcnt=3)
network-object object Insideinterface_Network(hitcnt=135)
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x14f89c7653e0, priority=12, domain=permit, deny=false
hits=2, user_data=0x14f8e9de1200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=240.0.0.2, mask=255.255.255.255, port=0, tag=any, ifc object-group id 973
dst ip/id=240.1.0.2, mask=255.255.255.255, port=0, tag=any, ifc=outside(vrfid:0),
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f89c1cd6c0, priority=7, domain=conn-set, deny=false
hits=2, user_data=0x14f89c1c37d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Static translate 10.0.0.6/8443 to 10.2.1.4/8443
Forward Flow based lookup yields rule:
in id=0x14f89c045d90, priority=6, domain=nat, deny=false
hits=1, user_data=0x14f89c3277f0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=10.0.0.6, mask=255.255.255.255, port=8443, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f8ffa64760, priority=0, domain=nat-per-session, deny=false
hits=583, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f89c025c80, priority=0, domain=inspect-ip-options, deny=true
hits=147, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=any

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 14181 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f8ffe6ae30, priority=70, domain=qos-per-class, deny=false
hits=37, user_data=0x14f89c06a810, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 6357 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Forward Flow based lookup yields rule:
out id=0x14f89d7b7680, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x14f89c6058e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.0.0.6, mask=255.255.255.255, port=8443, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 11
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 27384 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14f8ffe6ae30, priority=70, domain=qos-per-class, deny=false
hits=38, user_data=0x14f89c06a810, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 489 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14f8ffa64760, priority=0, domain=nat-per-session, deny=false
hits=585, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14f8fff71c30, priority=0, domain=inspect-ip-options, deny=true
hits=206, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=outside(vrfid:0), output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 10758 ns
Config:
Additional Information:
New flow created with id 1526, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 15
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 38142 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 16
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 348582 ns
Config:
Network 0, Inspection 0, Detection 0, Rule ID 268434433
Additional Information:
Starting rule matching, zone 2 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268434433 - Allow

Phase: 17
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 24540 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)

Phase: 18
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 4890 ns
Config:
Additional Information:
Found next-hop 10.2.1.1 using egress ifc outside(vrfid:0)

Phase: 19
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 1956 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.2.1.1 on interface outside
Adjacency :Active
MAC address 1234.5678.9abc hits 13 reference 1

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 509061 ns

This also shows as allow.

Is there anything that I have to do at Azure end?

Re: Azure vFTD NAT rule

MHM Cisco World — Sun, 28 Apr 2024 18:06:14 GMT

> show arp
outside 10.2.1.1 1234.5678.9abc 11273
inside 10.2.2.1 1234.5678.9abc 3075

Both use same mac if you not change it!!

MHM

Re: Azure vFTD NAT rule

amitspanchal — Tue, 28 May 2024 11:11:34 GMT

Hi everyone,

Thanks for you help, but we have figured out the solution. Actually the NAT rule for the Azure firewall has to configure differently compared to the on-prem firewall. Below NAT rule I have applied and worked for me.