topic Re: PBR and NAT order of operation on FTD in Network Security

PBR and NAT order of operation on FTD

Madura Malwatte — Fri, 21 Feb 2020 17:29:02 GMT

I understand PBR works on FTD via flexconfig, but I wanted to double check the order of operations for NAT.

I have two ISP links and want to send traffic from a particular internal subnet out ISP2 instead of ISP1. After PBR is done on the FTD, would it then apply the NAT rule for the ISP2 interface? Is the FTD firepower software following the same order of operation as described in this document - https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html

Re: PBR and NAT order of operation on FTD

harmesh88 — Wed, 11 Sep 2019 09:06:46 GMT

Dear ,

When you will do policy route traffic will forcefully go with configured ISP

i suggest please make dedicated nat rule for this subnet and put in starting order .

Also You can run packet tracer to watch traffic order .

Regards,

Harmesh Yadav

Re: PBR and NAT order of operation on FTD

Marvin Rhoads — Thu, 12 Sep 2019 11:03:33 GMT

The NGFW (FTD) policy order of operations is described in detail here:

https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/Self-Help/NGFW_Policy_Order_of_Operations.pdf

Here's a good visual guide excerpted from it:

Re: PBR and NAT order of operation on FTD

Madura Malwatte — Thu, 19 Sep 2019 03:37:42 GMT

Hi Marvin,

I saw this document earlier, but it doesn't show where the PBR component sits in the order. Also the document doesn't explain the traffic flow through these different components. Example how does pre-filter fastpathed to L3, L2 hops work? Is there a some document (couldn't find in cisco live ones either) about the traffic flow though the FTD?

Re: PBR and NAT order of operation on FTD

Marvin Rhoads — Thu, 19 Sep 2019 05:27:45 GMT

I have an older (2015) techzone document from Cisco which explains it thus:

For the first packet in a flow, PBR processing occurs on the ingress interface to which it is applied BEFORE applying NAT or module inspection on traffic (between steps 4 and 5 in the figure below). When traffic arrives that matches the configured the routemap, the ASA will do a route lookup to determine the egress interface. With PBR you can manually take various actions on the traffic such as set next hop, set a DSCP value, set egress interface, etc. Once the egress interface is determined, any inspection or NAT and CX/SF policies are processed as per the normal process.

Furthermore, when you have PBR configured, it will show up in packet-tracer output so you can see explicitly where it sits in order of operations on your particular device's configuration. It would normally show up as Phase 3 (after having been found to be a new connection and not denied by input ACL). Input ACL in classic ASA is roughly equivalent to prefilter in FTD. So you can say the PBR is after prefilter but before DAQ sends the traffic to Snort (= shorthand for the whole chain from SI through IPS in the diagram)