topic FTDv in Azure in Network Security

FTDv in Azure

zi — Fri, 21 Feb 2020 15:22:37 GMT

Did anyone get FTDv working in azure ? The FTDv is not passing external traffic to the VM .

Re: FTDv in Azure

jimholla — Tue, 20 Feb 2018 12:44:02 GMT

Have you watched this YouTube video?

https://www.youtube.com/watch?v=n3tyF9FbUr0&t=1812s

Jim

Re: FTDv in Azure

zi — Tue, 20 Feb 2018 21:32:44 GMT

Yes, i watched all of his videos . and followed his setup sted by step. I've been working with Cisco TAC and MS Azure support for a Week now without any results!

Thanks for your response.

Re: FTDv in Azure

zi — Tue, 20 Feb 2018 21:33:05 GMT

Yes, i watched all of his videos . and followed his setup sted by step. I've been working with Cisco TAC and MS Azure support for a Week now without any results!

Thanks for your response.

Re: FTDv in Azure

jimholla — Tue, 20 Feb 2018 21:46:42 GMT

Do you have an open TAC case?

Re: FTDv in Azure

zi — Tue, 20 Feb 2018 21:50:24 GMT

Yes, i do. ( 683998759 ) . If you can help it would be awesome.

Re: FTDv in Azure

jimholla — Tue, 20 Feb 2018 21:57:42 GMT

Let me take a look and get back. It may be tomorrow.

Re: FTDv in Azure

zi — Tue, 20 Feb 2018 21:59:26 GMT

Ok , sounds good .

Thank you for your help 😄

Re: FTDv in Azure

ewaterwo — Wed, 21 Feb 2018 00:38:22 GMT

What's the basic topology? And what traffic flows do you want to enable. Inbound initiated? Outbound initiated? both?

FTDv

inside outside Azure

VM -------- gig0/0 gig0/1 ------Internet GW----- Internet

ipVM ipIN ipOUT

..........ipPublic

Is it something like this? Please confirm or correct as needed.

Re: FTDv in Azure

zi — Wed, 21 Feb 2018 04:19:31 GMT

I have a basic topology in Azure , a couple of VM's in Azure and an FTDv . I want to the inbound and outbound traffic to go through the FTDv . The FTDv have 4 NICs, NIC0 (Managment ) - NIC1(Diagnostics) -NIC2(Outside with a public IP) -NIC3(inside, and defined as the next hop of the VM's using UDR's ) . All of these are under 1 Vnet .

Re: FTDv in Azure

zi — Wed, 21 Feb 2018 18:06:07 GMT

Hi Jimholla ,

Did you get the chance to look at this issue, please ?

Re: FTDv in Azure

patricia.guenther — Wed, 14 Mar 2018 19:59:08 GMT

Did you ever get a resolution to this? I am having similar issues. TAC didn't seem to be knowledgeable on how Azure works with vFTD. Being new to FTD and Azure I am stuck as well.

Re: FTDv in Azure

ewaterwo — Wed, 14 Mar 2018 20:35:41 GMT

Hi Patricia,

Here's an example with a typical deployment scenario. I'm assuming FTDv is registered with FMCv (if not, we can provide some additional info).

FTDv

inside outside Azure

VM -------- gig0/0 gig0/1 ------Internet GW----- Internet

ipVM ipIN ipOUT

..........ipPublic

Configure the gig0/0 and gig0/1 interfaces with the Private IP addresses that are assigned to them in Azure (ipIN and ipOUT). ( FTDv gig0/0 maps to the 3rd NIC in Azure. FTDv gig0/1 maps to the 4th NIC in Azure). Name them ( "inside" and "outside" for example). And give them zones ("inside" and "outside" for example").

Then create a new Public IP in Azure and associated it with your "outside" interface. This will be the effective Public IP for your backend server.

Once that's done, packets coming from internet will get NATed by Azure to your FTDv outside Private IP (ipOUT). You would then configure a NAT rule in FTDv (via FMCv gui) to NAT the traffic to the backend IP (ipVM in the diagram).

In FMC->Devices->NAT, create a "Threat Defense NAT" policy and add a rule like this:

This example will send HTTP to the backend server (ipVM😞

NAT Rule: Manual NAT Rule
Type: Static
Enable: enabled
Interface objects: source interface: "outside" destination interface: "inside"
Translation:
Original Source: any-ipv4(0.0.0.0/0)
Original Destination: Source Interface IP
Original Source Port: <blank>
Original Dest Port: HTTP
Translated Source: Destination Interface IP
Translated Destination: inside-server (an object you create for ipVM)
Translated Source Port: <blank>
Translated Destination Port: HTTP

Once that's done, Packets from the internet should be forwarded to your backend server - they will have a Source IP of FTDv's inside interface (ipIN) which is needed for the return path.

There are variations in how to do this but this is a good example.

(Also, Make sure no Network Security Groups on the NICs or Subnets are blocking your traffic of interest.)

Re: FTDv in Azure

patricia.guenther — Wed, 14 Mar 2018 20:47:31 GMT

Thank you! I just configured this NAT policy. One thing I am still confused about is the Azure route tables and how they work with the vFTD. A Cisco video that walked through an Azure setup process had me delete the default routes in the outside and inside Route Tables in Azure and configure one on the vFTD to point to the .1 IP of the outside subnet. The video indicated that once this was done the errors in FMC stating Gig0/0 and 0/1 would go away, but they haven't.

Off to test my NAT statement with a test RDP box. Will let you know if it worked.

Re: FTDv in Azure

ewaterwo — Wed, 14 Mar 2018 21:54:23 GMT

In general, the Azure route tables/UDRs determine what next-hop is used for any given packet. So for traffic you want to route through FTDv, you'd set a UDR route with a next-hop of the FTDv IP. Inside FTDv we set the route on a particular interface to make sure traffic leaves on that interface - and we use the ".1" as the gateway (the built-in Azure router IP on each subnet) so the packet gets handed to Azure routing. The packet will then be routed by whatever is in the UDRs on that subnet.

Re: FTDv in Azure

patricia.guenther — Thu, 15 Mar 2018 15:03:48 GMT

Ok that makes sense. If I follow you correctly then the vnet my outside interface sits in needs a UDR default route to the internet. FTD default route points to the .1 router of the outside vnet and right now there is no default route. I created a route to 0.0.0.0/0 to point to next hop of Internet. Correct?

This is very helpful!

Re: FTDv in Azure

ewaterwo — Thu, 15 Mar 2018 15:44:47 GMT

That sounds right... just to summarize (and add one short cut)

- FTDv would need a route to 0.0.0.0/0 over its "outside" interface with next hop ".1" on the outside subnet.

- Azure outside subnet already has a default route to the internet for 0.0.0.0/0 (all subnets do) so you shouldn't have to add any outside subnet UDR. (you only need to add a route when you want to override the default routing behaviors).

Some general info:

The Effective Routing Table on any subnet is a combination of automatically built in routes, UDRs, and routes from other sources. The most specific route wins (regardless of the source of the route) but UDR takes precedence in case of tie.

You can check the "effective routes" on a subnet by looking at a NIC on the subnet. There's an "effective route" option where you can see all the various routes in the table and where they came from.

Re: FTDv in Azure

patricia.guenther — Thu, 15 Mar 2018 18:57:35 GMT

We are connecting to Azure using Express Route so if I don't put a default route in the outside vnet it will take the one we are injecting via MPLS and Express Route.

Re: FTDv in Azure

ewaterwo — Thu, 15 Mar 2018 19:56:04 GMT

AH! ok.

In that case, it would be good to check the effective routes on the "inside" subnets. Make sure the route pointing to FTDv's "inside" interface wins in the "effective route table". You may need a UDR that is more specific than the routes learned from Express Route (via Azure BGP). Or you can turn off BGP propagation on the "inside" route table ( in "configuration")

Re: FTDv in Azure

patricia.guenther — Tue, 20 Mar 2018 16:28:08 GMT

So I have more info on this issue now. Topology is as follows:

inside host (10.15.10.5)--> Inside int FTD (10.15.10.4) --> outside int FTD (10.15.50.4) -- Azure Public IP for FTD interface.

Inside FTD route table has BGP Express route routes (including default) so I have configured a UDR of 0.0.0.0/0 pointing to 10.15.10.4.

FTD has a default route to 10.15.50.1 (Azure router IP)

Outside FTD route table is not receiving BGP routes from Express Route so the effective 0.0.0.0/0 route is coming from Azure and pointing to the Internet.

FTD has a NAT policy configured as:

NAT Rule: Auto NAT Rule

Type: Dynamic

Source Interface Object - Inside

Destination Interface Object - Outside

Translation Original Source: any-ip

Translation Pack: Destination Interface IP

I try to ping 8.8.8.8 and turned out debug icmp trace on the FTD CLI and I am seeing the source and destination interfaces are both the outside. How is this possible?

debug icmp trace enabled at level 255
firepower# ICMP echo request from Outside:10.15.10.5 to Outside:8.8.8.8 ID=1 seq=210 len=32
ICMP echo request from Outside:10.15.10.5 to Outside:8.8.8.8 ID=1 seq=211 len=32

My zones appear configured correctly and the vnets is Azure are assigned correctly.

the 10.15.10.0/24 (inside) vnet is assigned to vnic3 which is Gig0/1 and the 10.15.50.0/24 (outside) vnet is vnic2 which is Gi0/0.

Thoughts?