07-10-2018 11:15 AM - edited 02-21-2020 07:58 AM
I recently purchased a 5506-X FTD firewall and am having difficulties enabling outside-inside traffic. I want to allow OpenVPN traffic (port 1194) . I opened port 1194 on the outside i/f as shown in the attached screen shot. I then tried a packet trace:
> packet-tracer input outside udp 8.8.8.8 3344 76.14.82.204 1194
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 76.14.82.204 using egress ifc identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
>
I don't understand why access control denies the connection, since I thought I enabled the correct port. Any help would be greatly appreciated.
Solved! Go to Solution.
07-11-2018 12:56 PM
07-11-2018 10:59 PM
I am glad I could help.
Yes, the rules are matched top-down, so your inside1_2 rule took precedence.
There is a couple of ways of configuring NAT, but the main rule to remember is, that they are matched top-down.
But if you need a little reading - Here is a link on NAT in FDM. :)
Have a good day.
07-10-2018 11:39 AM
OpenVPN should be under destination protocol, not source. If you are using 1194 as source port as well from the outside, then this would work. I don't think this is the case though as random ports would be used as source ports.
07-10-2018 03:06 PM
07-11-2018 05:39 AM
Do you have a screenshot of the updated rule? Also run the packet tracer again after you have changed the port to destination in the policy.
07-11-2018 08:23 AM
07-11-2018 12:56 PM
Try to reorder your NAT, so the static NAT is #1.
07-11-2018 01:14 PM
That solved the problem. Thanks very, very much!! Just so I understand: the problem was that when static rules are searched a match on either source or destination selects the rule? In my case, the inside1_2 rule was chosen because it appeared earlier in the list?
07-11-2018 01:22 PM
I meant when the manual rules are searched ...
07-11-2018 10:59 PM
I am glad I could help.
Yes, the rules are matched top-down, so your inside1_2 rule took precedence.
There is a couple of ways of configuring NAT, but the main rule to remember is, that they are matched top-down.
But if you need a little reading - Here is a link on NAT in FDM. :)
Have a good day.
07-11-2018 03:59 AM
How does your NAT look?
Assuming that you have a private IP address on the inside network, then you have to translate your OpenVPN address.
Once the NAT is correctly implemented, you have to use the destination port as previously mentioned.
07-11-2018 08:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide