Hello, yes it was (Host) set for 23. I did as said, changed Host SSH to 2222 and then changed my ACL/NAT to 2222. But still it times out. 

The ACL/NAT I mentioned, I have jo idea if they are indeed accurate. 

are you using FDM to configure : ( bcause of the commands you posted bit confusing so suggest to look below )  :

https://www.petenetlive.com/KB/Article/0001680  (this is for port 80 you can do same way )

https://community.cisco.com/t5/network-security/cisco-firepower-1010-port-forwarding/td-p/3986167

Just can not get this to work, it blows my mind.

I have a device 192.168.5.9 running SSH Port 23

I have a WAN of x.x.x.182.

I want INCOMING WAN 23 TO GO TO LAN 192.168.5.9 23.

How is this so difficult?

Yes, I followed that link example to the T! Anymore to the T and i'd burn a hole.

It seems over the years, when I explain my situation no one understands what I am saying, so

I just want NAT/ACL for WAN x.x.x.182 to LAN 192.168.5.9 on Port 23 SSH.

Thank you for very quick turnaround reply :

even you come back next year  - my suggest for your question same - you did not answer my question to help you.

are you using FDM to configure : (because of the commands you posted bit confusing so suggest looking below )  :

https://www.petenetlive.com/KB/Article/0001680  (this is for port 80 you can do same way )

https://community.cisco.com/t5/network-security/cisco-firepower-1010-port-forwarding/td-p/3986167

I will add on top of it, some more ideas for your to fix this.

1. Have you tested 192.168.5.9 running SSH Port 23  ( Locally from 192.168.5.X network is the port 23 working ?) - you mentioned host set for 23 ? what is that mean ? what you running on port 23 , Telnet ?

- have you tested and and working, can you post the output from local LAN PC connected to 192.168.5.9 running SSH Port 23

telnet 192.168.5.9  23  (post the screenshot here)

- Is your ISP allowed incoming ports to connect on port 23 ?

when you connect from the internet WAN x.x.x.182 port 23 - Do you see the Logs in FTD ? what it says ?

if possible run packet capture, is the request coming outside FTD?

Thank you for the clarification.

Now we know locally working on port 23 and I take you tested.

As you mentioned when you tried WANIP port 22, you connected to FTD, which shows the incoming requesting come to your network.

Since you made NAT and ACL as suggested in the document.

Now we need to check or do a packet capture on FTD to see is the packet reaching what is stopping for the port forward.

Can do that and post the logs for us to look.

Also can you post screenshot for us to verify, ( I am sure there is small bit missing for your to work)

also check NAT translation  > show nat translation  ( when you initiate the connection)

I honestly have no idea how to capture... And you mean pics of both my ACL and NAT?

Hello,

reading through your post again, it indeed is very straightforward what you want to do. I wonder if the SSH works the other way (from your 192.168.5.9 device, using TCP port 23, to the outside) ?

You can use the 'packet-tracer' command to see what the traffic flow is (and hopefully, where it is blocked). It should look like below:

packet-tracer input outside tcp outside_ip_address 23 192.168.5.9 23 detailed
packet-tracer input inside tcp 192.168.5.9 23 outside_ip_address 23 detailed

Can you post whatever output these two commands generate ?

Below are both results.. What stood out to me beside "deny" was the second results "additional information".

Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

I did not mention this mainly because I forgot, but also because I really did not see it as an issue, but maybe it is.

FPR1010 - x.x.x.182 WAN/FPR

               - 192.168.1.0/24 LAN

I have a 192.168.5.0 Subnet on a SG500X Switch vlan1 which uses PBR 192.168.1.2 GE1/1 to reach back to the FPR.

On the FPR I do have an ip route '192.168.5.0 255.255.255.0 192.168.1.2'

On the SG, I have the 192.168.5.0 network so EVERY device can communicate, but 5 of those IP's have STATIC NAT to their respective WAN Static IP's while the remaining subnet on 192.168.5.0 use the FPR x.x.x.182 for their Internet (192.168.5.66 included).

192.168.5.66 (I changed it from 9 thinking maybe that IP was in a funk) is a device connected to the SG500X which uses a PBR Route back to the FPR via 192.168.1.2.

So, from outside, if I were to connect it would be like this;

SSH user@x.x.x.182 - 192.168.1.2 - 192.168.5.66. And like I said, I have a route TO the 192.168.5.0 network on the SG through the 192.168.1.2 (192.168.1.0 being the FPR subnet).

Using my current setup I have less than zero issues with my 4 other servers and their own WAN IP's connecting in and out. It just seems that the IP on the SG that uses the FPR WAN IP does not let me. Anyway, I can answer more questions if need be but I hope the results I posted are enough data.

packet-tracer input outside tcp x.x.x.182 23 192.168.5.66 23 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 19530 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1524a7f7bb10, priority=1, domain=permit, deny=false
hits=407431824, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 19995 ns
Config:
Additional Information:
Found next-hop 192.168.1.2 using egress ifc inside(vrfid:0)

Phase: 3
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 5115 ns
Config:
Additional Information:
Found next-hop 192.168.1.2 using egress ifc inside(vrfid:0)

Phase: 4
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 2790 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 192.168.1.2 on interface inside
Adjacency :Active
MAC address 40a6.e8ff.1e41 hits 270735 reference 68

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 11315 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1524aa1572c0, priority=501, domain=permit, deny=true
hits=5, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=x.x.x.182, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=any

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 58745 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005609f726525d flow (NA)/NA

-----------------------------------------------------------------------------------------------------

packet-tracer input inside_2 tcp 192.168.5.66 23 x.x.x.182 23 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 18600 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1524a8542110, priority=1, domain=permit, deny=false
hits=227570150, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside_2, output_ifc=any

Phase: 2
Type: Pix security check
Subtype:
Result: ALLOW
Elapsed time: 19065 ns
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Phase: 3
Type: Pix security check
Subtype:
Result: ALLOW
Elapsed time: 6975 ns
Config:
Additional Information:
PIX security check: user is not allowed to access a firewall
interface from a network that is connected to another interface

Result:
input-interface: inside_2(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Time Taken: 44640 ns
Drop-reason: (no-route) No route to host, Drop-location: frame 0x00005609f726eed5 flow (NA)/NA

Hello,

--> Drop-reason: (acl-drop) Flow is denied by configured rule,

This indicates that there is a problem with an access rule. Can you post the entire configuration of the FPR ?

:
: Serial Number: JAD2537040H
: Hardware: FPR-1010, 2925 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
NGFW Version 7.2.0.1
!
hostname firepower
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto

!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Ethernet1/1
no switchport
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface Ethernet1/2
no switchport
bridge-group 1
nameif inside_2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/3
no switchport
bridge-group 1
nameif inside_3
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/4
no switchport
bridge-group 1
nameif inside_4
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/5
no switchport
bridge-group 1
nameif inside_5
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/6
no switchport
bridge-group 1
nameif inside_6
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/7
no switchport
bridge-group 1
nameif inside_7
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Ethernet1/8
no switchport
bridge-group 1
nameif inside_8
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
interface BVI1
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
dns server-group CustomDNSServerGroup
name-server 8.8.8.8
name-server 8.8.4.4
dns-group CustomDNSServerGroup
no object-group-search access-control
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network IPv4-Private-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0
object network LAN_Route_Out
host x.x.x.182
object network OutsideRoute
subnet 0.0.0.0 0.0.0.0
object network INSIDE_to_5_Network
host 192.168.1.2
object network Inner-LAN-Subnet
subnet 192.168.5.0 255.255.255.0
object network 179-ceyea-wan
host x.x.x.179
object network 181-fhc-omv-wan
host x.x.x.181
object network 180-fbeye-wan
host x.x.x.180
object network Ubuntu-PieHole
host 192.168.5.9
object network 177-wan
host x.x.x.177
object network 177-omv-lan
host 192.168.5.42
object network 179-ceyea-lan
host 192.168.5.52
object network 180-fbeye-lan
host 192.168.5.55
object network 181-fhc-omv-lan
host 192.168.5.43
object network PiHole
host 192.168.5.46
object network 178-proxmox-lan
host 192.168.5.56
object network 178-proxmox-wan
host x.x.x.178
object network Wireguard
host 192.168.5.66
object service _|NatOrigSvc_a250bb9d-976e-11ed-86c9-d5f05a707e24
service tcp source eq 29
object service _|NatMappedSvc_a250bb9d-976e-11ed-86c9-d5f05a707e24
service tcp source eq 29
object-group network IPv4-Private-All-RFC1918
network-object object IPv4-Private-10.0.0.0-8
network-object object IPv4-Private-172.16.0.0-12
network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435458
service-object ip
object-group service |acSvcg-268435457
service-object ip
object-group service |acSvcg-268435461
service-object tcp destination eq ssh
service-object tcp destination eq smtp
service-object tcp destination eq 587
service-object tcp destination eq 993
object-group service |acSvcg-268435498
service-object tcp destination eq ssh
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq 32400
service-object udp destination eq 51820
object-group service |acSvcg-268435506
service-object udp destination eq 51820
object-group service |acSvcg-268435511
service-object tcp destination eq 29
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Inside_Inside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_2 any ifc inside_2 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_2 any ifc inside_3 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_2 any ifc inside_4 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_2 any ifc inside_5 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_2 any ifc inside_6 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_2 any ifc inside_7 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_2 any ifc inside_8 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_3 any ifc inside_2 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_3 any ifc inside_3 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_3 any ifc inside_4 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_3 any ifc inside_5 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_3 any ifc inside_6 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_3 any ifc inside_7 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_3 any ifc inside_8 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_4 any ifc inside_2 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_4 any ifc inside_3 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_4 any ifc inside_4 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_4 any ifc inside_5 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_4 any ifc inside_6 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_4 any ifc inside_7 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_4 any ifc inside_8 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_5 any ifc inside_2 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_5 any ifc inside_3 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_5 any ifc inside_4 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_5 any ifc inside_5 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_5 any ifc inside_6 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_5 any ifc inside_7 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_5 any ifc inside_8 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_6 any ifc inside_2 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_6 any ifc inside_3 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_6 any ifc inside_4 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_6 any ifc inside_5 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_6 any ifc inside_6 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_6 any ifc inside_7 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_6 any ifc inside_8 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_7 any ifc inside_2 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_7 any ifc inside_3 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_7 any ifc inside_4 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_7 any ifc inside_5 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_7 any ifc inside_6 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_7 any ifc inside_7 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_7 any ifc inside_8 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_8 any ifc inside_2 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_8 any ifc inside_3 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_8 any ifc inside_4 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_8 any ifc inside_5 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_8 any ifc inside_6 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_8 any ifc inside_7 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435458 ifc inside_8 any ifc inside_8 any rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_2 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_3 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_4 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_5 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_6 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_7 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_8 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L7 RULE: 180-fbeye-mail
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside_2 object 180-fbeye-lan rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside_3 object 180-fbeye-lan rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside_4 object 180-fbeye-lan rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside_5 object 180-fbeye-lan rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside_6 object 180-fbeye-lan rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside_7 object 180-fbeye-lan rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc inside_8 object 180-fbeye-lan rule-id 268435461
access-list NGFW_ONBOX_ACL remark rule-id 268435498: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435498: L7 RULE: 181-fhc-omv
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435498 ifc outside any ifc inside_2 object 181-fhc-omv-lan rule-id 268435498
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435498 ifc outside any ifc inside_3 object 181-fhc-omv-lan rule-id 268435498
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435498 ifc outside any ifc inside_4 object 181-fhc-omv-lan rule-id 268435498
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435498 ifc outside any ifc inside_5 object 181-fhc-omv-lan rule-id 268435498
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435498 ifc outside any ifc inside_6 object 181-fhc-omv-lan rule-id 268435498
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435498 ifc outside any ifc inside_7 object 181-fhc-omv-lan rule-id 268435498
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435498 ifc outside any ifc inside_8 object 181-fhc-omv-lan rule-id 268435498
access-list NGFW_ONBOX_ACL remark rule-id 268435506: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435506: L5 RULE: 177-wireguard
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435506 ifc outside any ifc inside_2 object 177-omv-lan rule-id 268435506
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435506 ifc outside any ifc inside_3 object 177-omv-lan rule-id 268435506
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435506 ifc outside any ifc inside_4 object 177-omv-lan rule-id 268435506
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435506 ifc outside any ifc inside_5 object 177-omv-lan rule-id 268435506
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435506 ifc outside any ifc inside_6 object 177-omv-lan rule-id 268435506
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435506 ifc outside any ifc inside_7 object 177-omv-lan rule-id 268435506
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435506 ifc outside any ifc inside_8 object 177-omv-lan rule-id 268435506
access-list NGFW_ONBOX_ACL remark rule-id 268435511: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435511: L5 RULE: Wireguard
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435511 ifc outside any ifc inside_2 object Wireguard rule-id 268435511
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435511 ifc outside any ifc inside_3 object Wireguard rule-id 268435511
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435511 ifc outside any ifc inside_4 object Wireguard rule-id 268435511
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435511 ifc outside any ifc inside_5 object Wireguard rule-id 268435511
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435511 ifc outside any ifc inside_6 object Wireguard rule-id 268435511
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435511 ifc outside any ifc inside_7 object Wireguard rule-id 268435511
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435511 ifc outside any ifc inside_8 object Wireguard rule-id 268435511
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu outside 1492
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
mtu inside_8 1500
mtu diagnostic 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_8,outside) source dynamic any-ipv4 interface
nat (inside_7,outside) source dynamic any-ipv4 interface
nat (inside_6,outside) source dynamic any-ipv4 interface
nat (inside_5,outside) source dynamic any-ipv4 interface
nat (inside_4,outside) source dynamic any-ipv4 interface
nat (inside_3,outside) source dynamic any-ipv4 interface
nat (inside_2,outside) source static 180-fbeye-lan 180-fbeye-wan
nat (inside_2,outside) source static 181-fhc-omv-lan 181-fhc-omv-wan
nat (inside_2,outside) source static 179-ceyea-lan 179-ceyea-wan
nat (inside_2,outside) source static 177-omv-lan 177-wan
nat (inside_2,outside) source static Wireguard interface service _|NatOrigSvc_a250bb9d-976e-11ed-86c9-d5f05a707e24 _|NatMappedSvc_a250bb9d-976e-11ed-86c9-d5f05a707e24
nat (inside_2,outside) source dynamic any-ipv4 interface

route outside 0.0.0.0 0.0.0.0 x.x.x.182 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside_3
http 0.0.0.0 0.0.0.0 inside_8
http 0.0.0.0 0.0.0.0 inside_7
http 0.0.0.0 0.0.0.0 inside_5
http 0.0.0.0 0.0.0.0 inside_6
http 0.0.0.0 0.0.0.0 inside_2
http 0.0.0.0 0.0.0.0 inside_4
ip-client inside_4
ip-client inside_4 ipv6
ip-client inside_6
ip-client inside_6 ipv6
ip-client inside_7
ip-client inside_7 ipv6
ip-client inside_8
ip-client inside_8 ipv6
ip-client diagnostic
ip-client diagnostic ipv6
ip-client inside_2
ip-client inside_2 ipv6
ip-client inside_3
ip-client inside_3 ipv6
ip-client inside_5
ip-client inside_5 ipv6
ip-client outside
ip-client outside ipv6
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 1452
no sysopt connection permit-vpn
crypto ipsec security-association pmtu-aging infinite
crypto ca permit-weak-crypto
crypto ca trustpoint DefaultInternalCertificate
crl configure
crypto ca trustpoint DefaultWebserverCertificate
crl configure
crypto ca trustpool policy
crypto ikev2 policy 20
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 21 20 16 15 14
prf sha512 sha384 sha256 sha
lifetime seconds 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside_4
ssh 0.0.0.0 0.0.0.0 inside_6
ssh 0.0.0.0 0.0.0.0 inside_7
ssh 0.0.0.0 0.0.0.0 inside_8
ssh 0.0.0.0 0.0.0.0 inside_2
ssh 0.0.0.0 0.0.0.0 inside_3
ssh 0.0.0.0 0.0.0.0 inside_5
ssh 0.0.0.0 0.0.0.0 outside
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname
vpdn group pppoewan ppp authentication chap
vpdn username  password
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
webvpn
anyconnect ssl dtls none
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
Cryptochecksum:20b5228eb6fb968ce49d2221c5b36315
: end
>