topic Re: Newbie Question in Network Security

Newbie Question

MorrisJM — Fri, 21 Feb 2020 15:58:11 GMT

I recently purchased a 5506-X FTD firewall and am having difficulties enabling outside-inside traffic. I want to allow OpenVPN traffic (port 1194) . I opened port 1194 on the outside i/f as shown in the attached screen shot. I then tried a packet trace:

> packet-tracer input outside udp 8.8.8.8 3344 76.14.82.204 1194

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 76.14.82.204 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I don't understand why access control denies the connection, since I thought I enabled the correct port. Any help would be greatly appreciated.

Re: Newbie Question

Rahul Govindan — Tue, 10 Jul 2018 18:39:09 GMT

OpenVPN should be under destination protocol, not source. If you are using 1194 as source port as well from the outside, then this would work. I don't think this is the case though as random ports would be used as source ports.

Re: Newbie Question

MorrisJM — Tue, 10 Jul 2018 22:06:26 GMT

Thanks for your reply. I tried OpenVPN as the destination port with source port ANY and I tried OpenVPN as both source and destination port. In both cases I got the same result as before.

Re: Newbie Question

Jesper Erbs — Wed, 11 Jul 2018 10:59:39 GMT

How does your NAT look?

Assuming that you have a private IP address on the inside network, then you have to translate your OpenVPN address.

Once the NAT is correctly implemented, you have to use the destination port as previously mentioned.

Re: Newbie Question

Rahul Govindan — Wed, 11 Jul 2018 12:39:10 GMT

Do you have a screenshot of the updated rule? Also run the packet tracer again after you have changed the port to destination in the policy.

Re: Newbie Question

MorrisJM — Wed, 11 Jul 2018 15:15:23 GMT

Thanks for your reply. The NAT configuration is attached.

Re: Newbie Question

MorrisJM — Wed, 11 Jul 2018 15:23:17 GMT

Thanks for your response. Attached in the screen shot for the updated rule.

Re: Newbie Question

Jesper Erbs — Wed, 11 Jul 2018 19:56:51 GMT

Try to reorder your NAT, so the static NAT is #1.

Re: Newbie Question

MorrisJM — Wed, 11 Jul 2018 20:14:43 GMT

That solved the problem. Thanks very, very much!! Just so I understand: the problem was that when static rules are searched a match on either source or destination selects the rule? In my case, the inside1_2 rule was chosen because it appeared earlier in the list?

Re: Newbie Question

MorrisJM — Wed, 11 Jul 2018 20:22:34 GMT

I meant when the manual rules are searched ...

Re: Newbie Question

Jesper Erbs — Thu, 12 Jul 2018 05:59:08 GMT

I am glad I could help.

Yes, the rules are matched top-down, so your inside1_2 rule took precedence.

There is a couple of ways of configuring NAT, but the main rule to remember is, that they are matched top-down.

But if you need a little reading - Here is a link on NAT in FDM. 🙂

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-nat.html#ID-2090-000000b5

Have a good day.