Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
7
Helpful
29
Replies

Firepower 1010 Port Forward Struggle

Go to solution
Edgieace
Level 1
Level 1

‎07-28-2024 06:56 AM

Hi guys,

I have been struggling on this for days, I have a nginx web app running on my server(192.168.10.5) that I am trying to port forward it to be accessible on the internet. I was able to do a port forward easily if I were to do a direct connection from my computer -> switch -> ISP modem.

But if I put it behind the firewall (Firepower 1010 Series) I am struggling it always says that my port is closed.

The network diagram look like this(with only the vlan10 that is shown): 

Screenshot 2024-07-28 213405.png

this is the route table:

route.png

Access-list:

acl .png

NAT:

nat.png

I also encountered something that might be a factor on the problem, is that when I ping the firewall outside interface(192.168.1.8) from my server (192.168.10.5)  it result me in time out but I can ping the gateway(192.168.1.1) and other device that are connected on the ISP modem.

If I ping inside the firewall cli, I can ping everything all right. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Edgieace

‎07-31-2024 03:13 AM

friend 
FYI in your case the real IP of server 192.168.10.5
mapped IP of server is interface (only port 80 for server)
do below config it will work 

FTD NAT issue.png

View solution in original post

29 Replies 29

Go to solution
MHM Cisco World
VIP
VIP

‎07-28-2024 07:06 AM

Can you run packet tracer for this traffic and share it here 

MHM

0 Helpful

Go to solution
Edgieace
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2024 07:29 AM

I tried packet-tracer on both the tcp and icmp protoctol but result into command execution failed. but I did a packet tracer on udp:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 36270 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.8 using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6858 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc inside any any rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: block sites
object-group service |acSvcg-268435459
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x1497286f8de0, priority=12, domain=permit, deny=false
hits=11724, user_data=0x14971ac33880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6858 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 192.168.10.5/12345 to 192.168.1.8/12345
Forward Flow based lookup yields rule:
in id=0x1497286c35c0, priority=6, domain=nat, deny=false
hits=1634724, user_data=0x1497292fbb40, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6858 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14972637f010, priority=0, domain=nat-per-session, deny=true
hits=1572321, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6858 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x149727e1cb80, priority=0, domain=inspect-ip-options, deny=true
hits=2544125, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 23250 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x149728bd41d0, priority=6, domain=nat-reverse, deny=false
hits=1633023, user_data=0x149728eba240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 86952 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Edgieace

‎07-28-2024 10:16 AM - edited ‎07-28-2024 10:29 AM

Remove static NAT

And add below

Source interface:- IN

Destiantion interface:- OUT

Real

Source IP :- server private IP

Destiantion IP :- Any 

Source Port :- http

Mapped 

Source IP :- server public IP

Destiantion IP :- ANY

Source Port :- http

 

MHM

0 Helpful

Go to solution
Edgieace
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2024 03:20 PM

Thank you for this, but I tried it still not working, I am still encountering this connection log whenever I try to access my web app through my public ip.hmm.png

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Edgieace

‎07-28-2024 03:24 PM

Share last NAT

And packet tracer (it direction must be from outside to inside)

MHM

0 Helpful

Go to solution
Edgieace
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2024 03:35 PM

show nat

Manual NAT Policies Implicit (Section 0)
1 (nlp_int_tap) to (inside) source static nlp_server__http_0.0.0.0_intf3 interface destination static 0_0.0.0.0_12 0_0.0.0.0_12 service tcp https https
translate_hits = 13905, untranslate_hits = 13910
2 (nlp_int_tap) to (inside) source static nlp_server__ssh_0.0.0.0_intf3 interface destination static 0_0.0.0.0_13 0_0.0.0.0_13 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source static nlp_server__ssh_::_intf3 interface ipv6 destination static 0_::_14 0_::_14 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_0.0.0.0_6proto22_intf3 interface destination static nlp_client_0_ipv4_14 nlp_client_0_ipv4_14 service nlp_client_0_6svc22_13 nlp_client_0_6svc22_13
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_::_6proto22_intf3 interface ipv6 destination static nlp_client_0_ipv6_16 nlp_client_0_ipv6_16 service nlp_client_0_6svc22_15 nlp_client_0_6svc22_15
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
2 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any-ipv4 interface
translate_hits = 1659656, untranslate_hits = 7197

 

packet-tracer input outside udp 192.168.1.8 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 35340 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 9300 ns
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 44640 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d087fbe flow (NA)/NA

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Edgieace

‎07-28-2024 03:48 PM

Sorry 

Share NAT table from fmc(or fdm) not from cli

Also packet tracer do you use server real IP or mapped IP?

MHM

0 Helpful

Go to solution
Edgieace
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2024 04:57 PM

FDM nat table

natt.png

here is the packet tracer, using my mapped IP.

packet-tracer input outside udp 119.93.x.x 80 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 36270 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8680 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8680 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8680 ns
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 31155 ns
Config:
nat (inside,outside) after-auto source dynamic any-ipv4 interface
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 93465 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d090230 flow (NA)/NA

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Edgieace

‎07-28-2024 05:08 PM

packet-tracer input outside tcp 119.93.x.x 12345 192.168.10.5 80

You need to use tcp not udp for http traffic 

192.168.10.5 this server mapped IP?

MHM

0 Helpful

Go to solution
Edgieace
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2024 05:14 PM - edited ‎07-28-2024 05:15 PM

yes that's the server mapped IP.

this is the packet tracer result:

packet-tracer input outside tcp 119.93.x.x 12345 192.168.10.5 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 32085 ns
Config:
Additional Information:
Found next-hop 192.168.95.5 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8525 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8525 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8525 ns
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 33015 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 90675 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055719d090230 flow (NA)/NA

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Edgieace

‎07-28-2024 05:37 PM

packet-tracer input inside tcp  192.168.10.5 80 119.93.x.x 12345 <<- share this please 

Thanks 

MHM

Go to solution
Edgieace
Level 1
Level 1
In response to MHM Cisco World

‎07-28-2024 07:07 PM

thanks here it is:

> packet-tracer input inside tcp 192.168.10.5 80 119.93.x.x 12345

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 20460 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 20925 ns
Config:
Additional Information:
Found next-hop 192.168.1.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8137 ns
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc inside any any rule-id 268435459 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L7 RULE: block sites
object-group service |acSvcg-268435459
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 8137 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:
Static translate 192.168.10.5/80 to 119.93.252.113/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8137 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8137 ns
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 27435 ns
Config:
nat (inside,outside) source static server-ip public-ip service _|NatOrigSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2 _|NatMappedSvc_4e505803-4d2d-11ef-8c7b-4d569e326dc2
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 101368 ns
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000055719d08fc89 flow (NA)/NA

0 Helpful

Go to solution
Edgieace
Level 1
Level 1

‎07-29-2024 11:30 AM

192.168.10.5(server private ip) belongs to the VLAN 10 network that I have created on the switch, where the 1st port of the sw is being trunked(vlan1). and the 2nd port(access/vlan10) is connected to the firewall(eth1/2), and in the firewall the eth1/2 belongs to the default vlan1 interface where the eth1/2 is being trunked. below are the configuration I have on my fdm. routing.pngvlan.pnginterface.png

 

Customers Also Viewed These Support Documents