topic Re: Cisco 1140 FTD additional public IP range in Network Security

Cisco 1140 FTD additional public IP range

peat — Thu, 31 Oct 2024 11:24:08 GMT

Hi,

I am struggling to get my head around how to get an additional public ip range working through a cisco 1140 ftd.

I had asked previously and was told there arent alias interfaces or suchlike on the FTD like there is on Sophos and was told to just use static nat.

Ive watched a ton of videos and looked online and I keep finding different suggestions. (I cant get any to work anyway)

Below is a bad diagram of what my setup looks like (ive used made up public ips just for an example).

What i want to do is

1) traffic from the internet to the web server for http, https, udp 59221, tcp 59221 using the public ip 205.20.111.36

2) rdp to the rdp server using the public ip 205.20.111.33 but port 45456

3) have the public ip of 205.20.111.38 work on the internal router.

For 2) I have tried just doing a normal static nat with and without RDP port in destination port fields (ive also got it disabled at the moment but when testing i have enabled the status)

For info, internet out is working fine and i can remote onto the firewall fine too. so those basics are all ok. Oh i also forgot on my diagram i have an inside interface on subnet 192.168.1.x and also another interface on 192.168.3.x

If anyone could help it would be gratefully received.

Re: Cisco 1140 FTD additional public IP range

peat — Thu, 31 Oct 2024 14:36:52 GMT

After watching more videos and learning that static nat is bidirectional and you control the direction via ACL I have tried my NAT this way. which still doesnt work.

Re: Cisco 1140 FTD additional public IP range

MHM Cisco World — Thu, 31 Oct 2024 15:05:47 GMT

the interface is correct
the rule must be manual NAT

that it

MHM

Re: Cisco 1140 FTD additional public IP range

peat — Fri, 01 Nov 2024 09:29:51 GMT

Changed it to manual but rule still doesnt work. Did a packet tracer and its looking like its hitting the default deny access rule and not being allowed by my access rule. What is wrong with the access rule I have done?

Re: Cisco 1140 FTD additional public IP range

MHM Cisco World — Fri, 01 Nov 2024 09:33:59 GMT

Share last config of NAT and ACP

MHM

Re: Cisco 1140 FTD additional public IP range

peat — Fri, 01 Nov 2024 09:37:03 GMT

Re: Cisco 1140 FTD additional public IP range

Aref Alsouqi — Fri, 01 Nov 2024 10:31:42 GMT

Let's focus on requirement number 2, the others would have same concept and setup. In your last NAT screenshot you have configured the translated source address to be the outside interface. This should be changed with the RDP public IP 205.20.111.33, so you can create an object with that public IP and select it instead of the outside interface. If not if you leave the translated source as the outside interface it would mean the RDP server IP will be translated to the firewall outside interface IP.

Also, if you want the RDP traffic to be served on port 45456/tcp, then also here you have to change the translated source port to be port 45456/tcp. Finally on the access list you will have to change the destination port from the traditional RDP port 3389/tcp to 45456/tcp because port 45456/tcp will be the port exposed to the external world, so anyone that will try to RDP to the RDP server will be using port 45456/tcp.

Re: Cisco 1140 FTD additional public IP range

peat — Fri, 01 Nov 2024 11:25:08 GMT

Thanks, sorry ive wasted your time a bit there. To try and get it working in the simplest way my latest attempt is to get RDP working on the actual public ip of 205.20.102.222 using just the standard rdp port of 3389. Thats what my latest screenshot attempts were.

I thought if i could get it working in the simplest form then afterwards i could introduce each additional step one at a time (as in the 45456 port and then getting it to the other public ip)

Re: Cisco 1140 FTD additional public IP range

Aref Alsouqi — Fri, 01 Nov 2024 15:31:14 GMT

No worries and what you're saying makes sense. Could you please try to create an object with the public IP 205.20.111.33 and change the translated source IP to this one rather than the interface and see if that works? if not, then please run some packet capture on the outside interface filtering with RDP port while you are testing RDP connection. This will allow us to see if you actually receive any traffic from the source. Alternatively, please run packet tracer simulating some traffic from one of the allowed sources with the public IP 205.20.111.33 and RDP port as destinations.

Re: Cisco 1140 FTD additional public IP range

MHM Cisco World — Fri, 01 Nov 2024 18:10:18 GMT

public IP is not attach directly to any FTD interfaces
so you need two steps
1- use object host 205.20.111.38 instead of using interface in ACL and NAT
2- use static route for this IP point to OUT interface

MHM

Re: Cisco 1140 FTD additional public IP range

peat — Mon, 04 Nov 2024 14:45:02 GMT

I am reading this as its not hitting the acl and just hitting the default deny all acl?

> packet-tracer input outside tcp x.x.x.x 3389 x.x.x.x 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 14848 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 11776 ns
Config:
nat (inside,outside) source static RDPserver interface service _|NatOrigSvc_dbf4c634-97ae-11ef-8448-d18b8885a4a7 _|NatMappedSvc_dbf4c634-97ae-11ef-8448-d18b8885a4a7
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate x.x.x.x/3389 to 192.168.1.10/3389

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 6656 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 33280 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561737636518 flow (NA)/NA

>
>

Re: Cisco 1140 FTD additional public IP range

MHM Cisco World — Mon, 04 Nov 2024 15:13:12 GMT

This good' now NAT working as we want.

For ACL you need to specify ANY under source network' why ypu use object-group for network??

MHM

Re: Cisco 1140 FTD additional public IP range

peat — Mon, 04 Nov 2024 15:38:00 GMT

We have to lock down the RDP access to just the IT support

Re: Cisco 1140 FTD additional public IP range

MHM Cisco World — Mon, 04 Nov 2024 15:45:15 GMT

Ok, just make it any to check

Do packet-tracer or do real connect.

If traffic will not pass then we need to look for other reason

It temporarily for troubleshooting

MHM

Re: Cisco 1140 FTD additional public IP range

Aref Alsouqi — Mon, 04 Nov 2024 15:47:00 GMT

The port that you specify after the source IP in the packet tracer command would be the source port. Don't worry much about that port as it could be anything like 12345, however, the second port that you specify after the destination IP is the port that should be accessed from outside. Did you specify one of the source allowed IP addresses on packet tracer command? if so, you might need to double check the access list rules and see why is not matching the right rule that would allow this traffic from outside to inside.

Re: Cisco 1140 FTD additional public IP range

peat — Mon, 04 Nov 2024 16:34:31 GMT

yeah i just have left rdp at 3389 for the moment for testing but will change that once it all works.

yeah i had the source IP on packet tracer as the one thats the allowed IP on the ACL. Ill remove that from the acl and test again

Re: Cisco 1140 FTD additional public IP range

peat — Mon, 04 Nov 2024 16:51:52 GMT

Well this is odd. Its failing the deployment when i try and remove the support IP from the RDP rule. So I have gone on the cli and the rdp rule is not there. But its showing on the FTD Gui.

access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: DNAT_Sig
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc outside any ifc inside object SigServer_INT rule-id 268435460 event-log flow-end

access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L7 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both

access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: WAN_internalPubrange
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside object any-ipv4 object Internal_Pub_IP_range rule-id 268435464 event-log flow-end

access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L7 RULE: Prod_WAN
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc prod any ifc outside any rule-id 268435458

access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1

access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: LAN_Prod
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside any ifc prod any rule-id 268435462

access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Prod_LAN
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc prod any ifc inside any rule-id 268435463

Re: Cisco 1140 FTD additional public IP range

Aref Alsouqi — Mon, 04 Nov 2024 17:16:33 GMT

Could be a software bug and this could be why it was showing no match on any rule but the default one when you ran packet tracer. Could you please try to add a replica of the DNAT_RDP rule, deploy and test again?

Re: Cisco 1140 FTD additional public IP range

MHM Cisco World — Mon, 04 Nov 2024 17:28:25 GMT

No need this any more.

MHM

Re: Cisco 1140 FTD additional public IP range

peat — Mon, 04 Nov 2024 17:27:08 GMT

Thats got it. shame I cant get rid of that ghost bugged rule but its working now thats the main thing.

Thanks