topic Re: FTD NAT in Network Security

FTD NAT

jebankshrcu — Thu, 23 May 2024 22:59:14 GMT

Hi Team,

So currently I have a FTD that I manage via FDM. Am trying to access an internal host from the outside via port 8888 but internally it should translate back to ssh (22). Screenshot is my nat rule. Not sure if am doing something wrong and what else am missing cause the rules I have it widely open to see if thats the issue but still nothing.

Re: FTD NAT

balaji.bandi — Fri, 24 May 2024 06:32:37 GMT

what is the error you getting when you initiate the connection from outside IP address and port 8888 ?

does the webserver running service 22 ? web server runs on generally 443 ? so what web server is this ?

i have tested in my Lab some time it works as expected for reference :

https://www.balajibandi.com/?p=1855

Debug - run on FDM or cli see if the packet reaching the outside interface or not first before it process NAT and inside ACL.

sometime the provider do not allow some incoming packets on odd ports.

Re: FTD NAT

Marvin Rhoads — Fri, 24 May 2024 13:13:53 GMT

Try packet-tracer from the FTD cli and let us know what you get.

packet-tracer input outside tcp 1.1.1.1 1234 <outside interface address> 8888

https://community.cisco.com/t5/security-knowledge-base/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

Also make sure there are no other rules or active connections using that same tcp port on the outside interface.

Re: FTD NAT

MHM Cisco World — Fri, 24 May 2024 13:38:42 GMT

first change the rule from auto to NAT rules before
second make sure you allow real IP and Port 22 in ACP

MHM

Re: FTD NAT

Marius Gunnerud — Fri, 24 May 2024 22:47:17 GMT

run a packet tracer from CLI, Verify that the access rules and NAT statements that are being hit are correct and that the action is allowed. If that looks good set up a packet capture on the webportal interface and see if there is traffic being captured in both directions. If you are only seeing traffic out towards the server but nothing in return, the the issue is either with the server itself or in the path between the firewall and the server.

If possible you can also run a tcpdump on the server in question and see if the SSH session is actually reaching the server.

Re: FTD NAT

jebankshrcu — Sat, 25 May 2024 17:14:22 GMT

So changing it from auto you mean use manual nat like the image attached?

Re: FTD NAT

jebankshrcu — Mon, 27 May 2024 21:14:49 GMT

How can I do this nat rule on a Cisco FTD using the FDM rather than the FMC?

Re: FTD NAT

MHM Cisco World — Wed, 29 May 2024 11:02:22 GMT

Sorry I make you waiting
I was busy