Solved: Re: Newbie Question

MorrisJM · ‎07-10-2018

I recently purchased a 5506-X FTD firewall and am having difficulties enabling outside-inside traffic. I want to allow OpenVPN traffic (port 1194) . I opened port 1194 on the outside i/f as shown in the attached screen shot. I then tried a packet trace:

> packet-tracer input outside udp 8.8.8.8 3344 76.14.82.204 1194

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 76.14.82.204 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

>

I don't understand why access control denies the connection, since I thought I enabled the correct port. Any help would be greatly appreciated.

Jesper Erbs · ‎07-11-2018

Try to reorder your NAT, so the static NAT is #1.

View solution in original post

Jesper Erbs · ‎07-11-2018

I am glad I could help.

Yes, the rules are matched top-down, so your inside1_2 rule took precedence.

There is a couple of ways of configuring NAT, but the main rule to remember is, that they are matched top-down.

But if you need a little reading - Here is a link on NAT in FDM. :)

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-nat.html#ID-2090-000000b5

Have a good day.

View solution in original post

Rahul Govindan · ‎07-10-2018

OpenVPN should be under destination protocol, not source. If you are using 1194 as source port as well from the outside, then this would work. I don't think this is the case though as random ports would be used as source ports.

MorrisJM · ‎07-10-2018

Thanks for your reply. I tried OpenVPN as the destination port with source port ANY and I tried OpenVPN as both source and destination port. In both cases I got the same result as before.

Rahul Govindan · ‎07-11-2018

Do you have a screenshot of the updated rule? Also run the packet tracer again after you have changed the port to destination in the policy.

MorrisJM · ‎07-11-2018

Thanks for your response. Attached in the screen shot for the updated rule.

Jesper Erbs · ‎07-11-2018

Try to reorder your NAT, so the static NAT is #1.

MorrisJM · ‎07-11-2018

That solved the problem. Thanks very, very much!! Just so I understand: the problem was that when static rules are searched a match on either source or destination selects the rule? In my case, the inside1_2 rule was chosen because it appeared earlier in the list?

MorrisJM · ‎07-11-2018

I meant when the manual rules are searched ...

Jesper Erbs · ‎07-11-2018

I am glad I could help.

Yes, the rules are matched top-down, so your inside1_2 rule took precedence.

There is a couple of ways of configuring NAT, but the main rule to remember is, that they are matched top-down.

But if you need a little reading - Here is a link on NAT in FDM. :)

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/fdm/fptd-fdm-config-guide-610/fptd-fdm-nat.html#ID-2090-000000b5

Have a good day.

Jesper Erbs · ‎07-11-2018

How does your NAT look?

Assuming that you have a private IP address on the inside network, then you have to translate your OpenVPN address.

Once the NAT is correctly implemented, you have to use the destination port as previously mentioned.

MorrisJM · ‎07-11-2018

Thanks for your reply. The NAT configuration is attached.