https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286608#M1120820 <P>Sorry I confuse with other issue with anyconnect.</P> <P>Anyway&nbsp;</P> <P>Rpf-check (drop) this cause because of asymmetric traffic.</P> <P>Use packet-tracer but this time from inside to outside1/2</P> <P>See if NAT is select correctly.</P> <P>MHM</P> Wed, 30 Apr 2025 13:35:31 GMT MHM Cisco World 2025-04-30T13:35:31Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286520#M1120811 <P>Good morning everyone,</P><P>I am using a CSF 1210CE FTD and I need to publish a service so that it can be reached from two public IP addresses provided by different ISPs.<BR />I configured a second external interface, created two static NATs with port translation (external 32500, internal 8080) one for each external interface and the relative access control rule.<BR />The server is reachable from the first public IP address but not from the second.<BR />From the syslog messages analysis it seems that the port translation is not performed on outside2 but only on outside1.<BR />I checked and the NAT configuration is correct.<BR />Can anyone help me?<BR />Thanks<BR />Have a nice day<BR />Giuseppe</P> Wed, 30 Apr 2025 09:09:46 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286520#M1120811 Brunetta7 2025-04-30T09:09:46Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286526#M1120812 <P>First&nbsp;</P> <P>1- are you sure DNS return ISP2 public IP?</P> <P>2- are you sure FTD dont use ISP1 for retrun traffic' try use packet tracer to check that.</P> <P>MHM</P> Wed, 30 Apr 2025 09:38:09 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286526#M1120812 MHM Cisco World 2025-04-30T09:38:09Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286534#M1120813 <P>Thanks for the reply.<BR />Users to connect remotely use the public IP address directly, not a domain name resolved by a DNS.<BR />The remote user's request reaches outside2 correctly, the IP address of outside2 is reported in the syslog message. I don't think there are problems returning to isp1 because the packet is stopped before. To be clearer I'll post the syslog messages.<BR />I hid the source IP with X.X.X.X</P><P>syslog message for connection from isp1,&nbsp; it's ok<BR />12:28:11 +ACU-FTD+AC0-6+AC0-302013: Built inbound TCP connection 277393 for outside:X.X.X.X/1724/1724 (X.X.X.X/1724) to inside:192.168.0.25/8080 (10.11.13.2/32500) 1 6<BR />12:28:24 +ACU-FTD+AC0-6+AC0-302014: Teardown TCP connection 277393 for outside:X.X.X.X/1724 to inside:192.168.0.25/8080 duration 0:00:13 bytes 361335 TCP Reset+AC0-O from outside 1 6</P><P>syslog message for connection from isp2 ,&nbsp; it's fail<BR />12:28:27 +ACU-FTD+AC0-6+AC0-302013: Built inbound TCP connection 277416 for outside2:X.X.X.X/1548 (X.X.X.X/1548) to inside:192.168.0.25/32500 (192.168.178.2/32500) 1 6<BR />12:28:27 +ACU-FTD+AC0-6+AC0-302014: Teardown TCP connection 277416 for outside2:X.X.X.X/1548 to inside:192.168.0.25/32500 duration 0:00:00 bytes 0 TCP Reset+AC0-O from inside 1 6</P><P>As you can see from the logs in the second case it seems that the port translation is not done</P> Wed, 30 Apr 2025 10:20:23 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286534#M1120813 Brunetta7 2025-04-30T10:20:23Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286538#M1120814 <P>Use packet-tracer to see in which phase the traffic is drop</P> <P>MHM</P> Wed, 30 Apr 2025 10:41:08 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286538#M1120814 MHM Cisco World 2025-04-30T10:41:08Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286569#M1120815 <P>I am not very familiar with Packet-tracer.<BR />I tried the following:<BR />packet-tracer&nbsp;input&nbsp;outside2&nbsp;t X.X.X.X 32500 192.168.0.25&nbsp;8080&nbsp;<BR />The result is this:<BR />.....<BR />Phase:&nbsp;6<BR />Type:&nbsp;NAT<BR />Subtype:&nbsp;rpf-check<BR />Result:&nbsp;DROP<BR />Elapsed&nbsp;time:&nbsp;34816&nbsp;ns<BR />Config:<BR />nat&nbsp;(inside,outside2)&nbsp;after-auto&nbsp;source&nbsp;static&nbsp;INTERNAL_SERVER ADDGRP_IPEsterni&nbsp;service&nbsp;_|NatOrigSvc_2d46bfc6-21f9-11f0-8111-efd80de64e46&nbsp;_|NatMappedSvc_2d46bfc6-21f9-11f0-8111-efd80de64e46<BR />Additional&nbsp;Information:</P><P>Result:<BR />input-interface:&nbsp;outside2(vrfid:0)<BR />input-status:&nbsp;up<BR />input-line-status:&nbsp;up<BR />output-interface:&nbsp;inside(vrfid:0)<BR />output-status:&nbsp;up<BR />output-line-status:&nbsp;up<BR />Action:&nbsp;drop<BR />Time&nbsp;Taken:&nbsp;78848&nbsp;ns<BR />Drop-reason:&nbsp;(acl-drop)&nbsp;Flow&nbsp;is&nbsp;denied&nbsp;by&nbsp;configured&nbsp;rule,&nbsp;Drop-location:&nbsp;frame&nbsp;snp_sp_handle_flow_drop:4208&nbsp;flow&nbsp;(NA)/NA</P> Wed, 30 Apr 2025 12:03:38 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286569#M1120815 Brunetta7 2025-04-30T12:03:38Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286572#M1120816 <P>I need to see whole packet tracer&nbsp;</P> <P>MHM</P> Wed, 30 Apr 2025 12:08:43 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286572#M1120816 MHM Cisco World 2025-04-30T12:08:43Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286577#M1120817 <P>&gt; packet-tracer input outside2 t X.X.X.X 32500 192.168.0.25 8080<BR />Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: No ECMP load balancing<BR />Result: ALLOW<BR />Elapsed time: 22528 ns<BR />Config:<BR />Additional Information:<BR />Destination is locally connected. No ECMP load balancing.<BR />Found next-hop 192.168.0.25 using egress ifc inside(vrfid:0)<BR />Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Elapsed time: 5376 ns<BR />Config:<BR />access-group NGFW_ONBOX_ACL global<BR />access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc outside2 object-group |acSrcNwg-268435463 ifc inside object IP_INTERNAL_SERVER rule-id 268435463 event-log both<BR />access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy<BR />access-list NGFW_ONBOX_ACL remark rule-id 268435463: L7 RULE: RULE3<BR />object-group service |acSvcg-268435463<BR />service-object tcp destination eq 8080<BR />service-object tcp destination eq 32500<BR />object-group network |acSrcNwg-268435463<BR />group-object ADDGRP_IPEsterni<BR />network-object object NOSTRIPPubblico2<BR />Additional Information:<BR />This packet will be sent to snort for additional processing where a verdict will be reached<BR />Phase: 3<BR />Type: CONN-SETTINGS<BR />Subtype:<BR />Result: ALLOW<BR />Elapsed time: 5376 ns<BR />Config:<BR />class-map class-default<BR />match any<BR />policy-map global_policy<BR />class class-default<BR />set connection decrement-ttl<BR />service-policy global_policy global<BR />Additional Information:<BR />Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Elapsed time: 5376 ns<BR />Config:<BR />Additional Information:<BR />Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Elapsed time: 5376 ns<BR />Config:<BR />Additional Information:<BR />Phase: 6<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Elapsed time: 34816 ns<BR />Config:<BR />nat (inside,outside2) after-auto source static IP_INTERNAL_SERVER ADDGRP_IPEsterni service _|NatOrigSvc_2d46bfc6-21f9-11f0-8111-efd80de64e46 _|NatMappedSvc_2d46bfc6-21f9-11f0-8111-efd80de64e46<BR />Additional Information:<BR />Result:<BR />input-interface: outside2(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside(vrfid:0)<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Time Taken: 78848 ns<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame snp_sp_handle_flow_drop:4208 flow (NA)/NA</P> Wed, 30 Apr 2025 12:21:43 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286577#M1120817 Brunetta7 2025-04-30T12:21:43Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286581#M1120818 <P>Edit</P> <P>MHM</P> Wed, 30 Apr 2025 13:27:55 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286581#M1120818 MHM Cisco World 2025-04-30T13:27:55Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286589#M1120819 <P>I apologize but I did not understand the answer.<BR />Obviously for privacy reasons I changed addresses and ports.<BR />Inside my network I have a server with proprietary software that accepts connections from external users without VPN.<BR />To balance the load of incoming connections, two public IP addresses are used.<BR />The previous firewall worked like this, now I'm trying to replicate the same behavior on the CSF1210CE FTD,<BR />is it possible?</P><P>Thanks</P> Wed, 30 Apr 2025 12:44:28 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286589#M1120819 Brunetta7 2025-04-30T12:44:28Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286608#M1120820 <P>Sorry I confuse with other issue with anyconnect.</P> <P>Anyway&nbsp;</P> <P>Rpf-check (drop) this cause because of asymmetric traffic.</P> <P>Use packet-tracer but this time from inside to outside1/2</P> <P>See if NAT is select correctly.</P> <P>MHM</P> Wed, 30 Apr 2025 13:35:31 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5286608#M1120820 MHM Cisco World 2025-04-30T13:35:31Z https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5287231#M1120847 <P>Good morning everyone,<BR />I finally managed to solve it, the problem was a trivial conflict with another nat policy.<BR />After eliminating the unnecessary static nat, I managed to get my services working on both outside interfaces.<BR />Thanks to MHM for your time.<BR />Have a nice day<BR />Giuseppe</P> Fri, 02 May 2025 13:39:07 GMT https://community.cisco.com/t5/network-security/ftd-port-translation-is-not-performed-on-outside2-interface/m-p/5287231#M1120847 Brunetta7 2025-05-02T13:39:07Z