Solved: Re: Firepower 1010 Port Forward Struggle - Page 2

Edgieace · ‎07-28-2024

Hi guys,

I have been struggling on this for days, I have a nginx web app running on my server(192.168.10.5) that I am trying to port forward it to be accessible on the internet. I was able to do a port forward easily if I were to do a direct connection from my computer -> switch -> ISP modem.

But if I put it behind the firewall (Firepower 1010 Series) I am struggling it always says that my port is closed.

The network diagram look like this(with only the vlan10 that is shown):

this is the route table:

Access-list:

NAT:

I also encountered something that might be a factor on the problem, is that when I ping the firewall outside interface(192.168.1.8) from my server (192.168.10.5) it result me in time out but I can ping the gateway(192.168.1.1) and other device that are connected on the ISP modem.

If I ping inside the firewall cli, I can ping everything all right.

MHM Cisco World · ‎07-29-2024

so the real server IP is 192.168.10.5 and it must mapped to 192.168.1.5 ?
if that config then it correct
but I think you swap IP because I ask if 192.168.10.5 is mapped ip you mention Yes !!

MHM

Edgieace · ‎07-30-2024

I see,

when I added this NAT.

and did a

packet-tracer input inside tcp 192.168.10.5 80 119.93.x.x 80

it was successful

but when I packet trace outside it resulted on this

packet-tracer input outside tcp 119.93.x.x 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 40455 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 7672 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc outside any ifc inside any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: allow-http-to-server
object-group service |acSvcg-268435464
service-object tcp source eq www destination eq www
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 7672 ns
Config:
nat (outside,inside) source static public-ip server-ip service _|NatOrigSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d _|NatMappedSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d
Additional Information:
Static translate 119.93.x.x/80 to 192.168.10.5/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 7672 ns
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 7672 ns
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 27435 ns
Config:
nat (outside,inside) source static public-ip server-ip service _|NatOrigSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d _|NatMappedSvc_c384fbb1-4eee-11ef-8c7b-8bb6b4c8733d
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 98578 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

Jonatan Jonasson · ‎07-30-2024

Based on your diagram and the dynamic NAT config on the FTD, it looks like the public IP address is assigned to the ISP modem, and you're doing port forwarding there as well to make this chain work?

If so, what is the port-forwarding setup in the ISP modem, is that public IP -> 192.168.10.5?
If so, assuming that the ISP modem has a route for 192.168.10.0/24 -> 192.168.1.8, the only NAT you would need on the FTD device would be a static NAT from 192.168.10.5 <-> 192.168.10.5 (since the dynamic NAT is going to cover everything else)

If the ISP modem does not have a route for 192.168.10.0/24, the config on the FTD should be NAT from 192.168.10.5 -> 192.168.1.x, either the interface address or any other address on that network, and that address should then be represented in the port forwarding config in the ISP modem.

Unless you can get the public IP (119.93.x.x) routed from the ISP modem and down to the FTD device. you would not be referencing the public IP on the FTD device.

So if you can clarify this part of the setup it would help in seeing which config is needed for this to work.

Edgieace · ‎07-31-2024

Hi Jonathan, yes the port forwarding that is setup on the ISP modem is this

Public: 119.93.x.x port 80 -> Private: 192.168.1.8 port 80 (Firewall Outside Interface IP)

since the ISP modem does not have a route for 192.168.10.0/24

the problem I have is that when I ping from my server (192.168.10.5) to 192.168.1.8, it timed me out. I tried to create an inside,outside NAT for 192.168.10.5 -> 192.168.1.8 but the deployment failed it says that it overlaps with outside interface address.

MHM Cisco World · ‎07-31-2024

friend
FYI in your case the real IP of server 192.168.10.5
mapped IP of server is interface (only port 80 for server)
do below config it will work

Jonatan Jonasson · ‎07-31-2024

Ah ok.

With default config, it's normal that you would not be able to ping from 192.168.10.5 to 192.168.1.8.
(ie traffic from "inside" zone cannot directly contact the ip address of the egress interface by default)
So don't worry about that at this point.

While you can't do a static NAT to the 192.168.1.8, you can do a port-based NAT for the interface.
For reference, I've attached 2 screenshots showing a similar NAT on my 1010FTD
So your NAT config could be:

Original packet:
Source interface: inside
source address: 192.168.10.5
source port: HTTP

Translated packet:
Destination interface: outside
source address: interface
source port: HTTP

(and then repeat for HTTPS/443)

Edgieace · ‎07-31-2024

Hi guys, thank you so much for the solutions I tried to do the same configurations, the packet tracer result shows now that the packet was able to go through. tried to packet trace both inside and out, it works now. The only problem I have now is that when I access the nginx web app on my server externally(outside network) using the public ip. I still get site can't be reached or it refused to connect.

I look at the event viewer in FDM I don't see any logs that I tried to connect. I was thinking that this is probably that the ISP is blocking the port 80? (but my connection is already a business type) because when I try to do an nmap on my public ip externally this is what I get:

and if I nmap the public ip on my server this is what i get:

thank you both for your response again it shades some light, it was very helpful!

MHM Cisco World · ‎08-01-2024

Which solution you use 1 or 2?

MHM

Edgieace · ‎08-01-2024

the recent one you posted.

MHM Cisco World · ‎08-01-2024

Sorry but which one' isong interface or using 192.168.1.5 ?

Do you check modem NAT is it correct config?

In modem if it support NAT so I think also it support open/close port' dis ypu check port 80 is open?

Are you sure the same public IP modem get from ISP?

MHM

Edgieace · ‎08-01-2024

The one that is using the interface.

yes, the modem NAT is pretty much correct.

Public IP: 119.93.x.x Port: 80 -> Private IP: 192.168.1.8 Port: 80

and yes I get the same public IP on modem from ISP.

MHM Cisco World · ‎08-01-2024

Are you sure port 80 open in modem?

Can I see ACL of ftd you use for this traffic

MHM

Edgieace · ‎08-01-2024

yes..

these are my current ACL

MHM Cisco World · ‎08-01-2024

Edgieace · ‎08-07-2024

Hi guys, I was successfully did a port forward on my web app, and it's all working now. Thank you for the solutions you provided me it helps a lot on both my NAT and ACL configurations, on my last problem there seems to be a problem with my ISP so I had them do a bridge mode on my modem and put a third party router where I could port forward peacefully, and everything works now. Thank you.