Solved: Firepower 1010 Port Forward Struggle

Edgieace · ‎07-28-2024

Hi guys,

I have been struggling on this for days, I have a nginx web app running on my server(192.168.10.5) that I am trying to port forward it to be accessible on the internet. I was able to do a port forward easily if I were to do a direct connection from my computer -> switch -> ISP modem.

But if I put it behind the firewall (Firepower 1010 Series) I am struggling it always says that my port is closed.

The network diagram look like this(with only the vlan10 that is shown):

this is the route table:

Access-list:

NAT:

I also encountered something that might be a factor on the problem, is that when I ping the firewall outside interface(192.168.1.8) from my server (192.168.10.5) it result me in time out but I can ping the gateway(192.168.1.1) and other device that are connected on the ISP modem.

If I ping inside the firewall cli, I can ping everything all right.

MHM Cisco World · ‎07-31-2024

friend
FYI in your case the real IP of server 192.168.10.5
mapped IP of server is interface (only port 80 for server)
do below config it will work

View solution in original post

MHM Cisco World · ‎07-28-2024

Can you run packet tracer for this traffic and share it here

MHM

Edgieace · ‎07-28-2024

I tried packet-tracer on both the tcp and icmp protoctol but result into command execution failed. but I did a packet tracer on udp:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 36270 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.8 using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6858 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc inside any any rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: block sites
object-group service |acSvcg-268435459
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x1497286f8de0, priority=12, domain=permit, deny=false
hits=11724, user_data=0x14971ac33880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6858 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 192.168.10.5/12345 to 192.168.1.8/12345
Forward Flow based lookup yields rule:
in id=0x1497286c35c0, priority=6, domain=nat, deny=false
hits=1634724, user_data=0x1497292fbb40, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6858 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14972637f010, priority=0, domain=nat-per-session, deny=true
hits=1572321, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6858 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x149727e1cb80, priority=0, domain=inspect-ip-options, deny=true
hits=2544125, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 23250 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x149728bd41d0, priority=6, domain=nat-reverse, deny=false
hits=1633023, user_data=0x149728eba240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 86952 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

MHM Cisco World · ‎07-28-2024

Remove static NAT

And add below

Source interface:- IN

Destiantion interface:- OUT

Real

Source IP :- server private IP

Destiantion IP :- Any

Source Port :- http

Mapped

Source IP :- server public IP

Destiantion IP :- ANY

Source Port :- http

MHM

Edgieace · ‎07-28-2024

Thank you for this, but I tried it still not working, I am still encountering this connection log whenever I try to access my web app through my public ip.

MHM Cisco World · ‎07-28-2024

Share last NAT

And packet tracer (it direction must be from outside to inside)

MHM

Edgieace · ‎07-28-2024

show nat

Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (inside) source static nlp_server__http_0.0.0.0_intf3 interface destination static 0_0.0.0.0_12 0_0.0.0.0_12 service tcp https https
translate_hits = 13905, untranslate_hits = 13910
2 (nlp_int_tap) to (inside) source static nlp_server__ssh_0.0.0.0_intf3 interface destination static 0_0.0.0.0_13 0_0.0.0.0_13 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source static nlp_server__ssh_::_intf3 interface ipv6 destination static 0_::_14 0_::_14 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_0.0.0.0_6proto22_intf3 interface destination static nlp_client_0_ipv4_14 nlp_client_0_ipv4_14 service nlp_client_0_6svc22_13 nlp_client_0_6svc22_13
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_::_6proto22_intf3 interface ipv6 destination static nlp_client_0_ipv6_16 nlp_client_0_ipv6_16 service nlp_client_0_6svc22_15 nlp_client_0_6svc22_15
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any-ipv4 interface
translate_hits = 1659656, untranslate_hits = 7197

packet-tracer input outside udp 192.168.1.8 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 35340 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 9300 ns
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 44640 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d087fbe flow (NA)/NA

MHM Cisco World · ‎07-28-2024

Sorry

Share NAT table from fmc(or fdm) not from cli

Also packet tracer do you use server real IP or mapped IP?

MHM

Edgieace · ‎07-28-2024

FDM nat table

here is the packet tracer, using my mapped IP.

packet-tracer input outside udp 119.93.x.x 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 36270 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8680 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8680 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8680 ns
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 31155 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 93465 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d090230 flow (NA)/NA

MHM Cisco World · ‎07-28-2024

packet-tracer input outside tcp 119.93.x.x 12345 192.168.10.5 80

You need to use tcp not udp for http traffic

192.168.10.5 this server mapped IP?

MHM

Edgieace · ‎07-28-2024

yes that's the server mapped IP.

this is the packet tracer result:

packet-tracer input outside tcp 119.93.x.x 12345 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 32085 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8525 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8525 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8525 ns
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 33015 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 90675 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d090230 flow (NA)/NA

MHM Cisco World · ‎07-28-2024

packet-tracer input inside tcp 192.168.10.5 80 119.93.x.x 12345 <<- share this please

Thanks

MHM

Edgieace · ‎07-28-2024

thanks here it is:

> packet-tracer input inside tcp 192.168.10.5 80 119.93.x.x 12345

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 20460 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 20925 ns
Config:
Additional Information:
Found next-hop 192.168.1.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8137 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc inside any any rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: block sites
object-group service |acSvcg-268435459
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 8137 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:
Static translate 192.168.10.5/80 to 119.93.252.113/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8137 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8137 ns
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 27435 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 101368 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

MHM Cisco World · ‎07-29-2024

Edgieace · ‎07-29-2024

192.168.10.5(server private ip) belongs to the VLAN 10 network that I have created on the switch, where the 1st port of the sw is being trunked(vlan1). and the 2nd port(access/vlan10) is connected to the firewall(eth1/2), and in the firewall the eth1/2 belongs to the default vlan1 interface where the eth1/2 is being trunked. below are the configuration I have on my fdm.