Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2640
Views
2
Helpful
7
Replies

Cisco FMC Setting up direct access SSH

Go to solution
rtarson
Level 1
Level 1

‎04-26-2023 07:19 AM

Hello,

So I am trying to set up a simple connection from a trusted external IP to internal server. I currently have a NAT rule on both of our Firepowers. From what I can tell the NAT rules are working fine because when attempting to connect I do see my connections coming in they just keep getting blocked and I can not find out why. I did a packet trace and it is telling me that it is blocked by default rule. Which tells me that the rule did not match however I believe I set up the rules correctly for Out to in. I would appreciate any guidance as i am new to Cisco FMC/firepowers. 

 

These are bogus ip for security reasons but just to give a picture of the setup

External IP NAT'd for the SSH Server Firepower (North Location): 180.168.104.15

External IP NAT'd for the SSH Server Firepower (South Location): 180.168.105.15

Internal IP of SSH Server: 10.0.0.168

So in the Access Control policy of Firepower(North and South):

  • Zones
    • WAN
    • Inside-Global-Zone
  • Networks
    • Source: Outside Vendor IPs (Containing a group of Host IPs)
    • Destination: Internal Host IP: 10.0.0.168
  • Ports for testing right now I have set Any for both source and dest
  • Action: Allow

I also added in the reverse order Inside to outside policy as well to allow any ports to that ip from that internal address. Of course only for testing purposes eventually will lock down to needed ports.

However it always seems to block the incoming connection. 

rtarson_4-1682517304750.png

 

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 00.00.00.00 using egress ifc  Inside(vrfid:0)

Phase: 2
Type: ECMP load balancing
Subtype: 
Result: ALLOW
Config:
Additional Information:
ECMP load balancing
Found next-hop 00.00.00.00 using egress ifc  WAN(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc WAN any ifc Inside any rule-id 268435118 
access-list CSM_FW_ACL_ remark rule-id 268435118: ACCESS POLICY: AccessPolicy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435118: L7 RULE: GeoBlock-Inbound
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Inside,WAN) source static SSHServer SSHServer_ExternalNAT
Additional Information:

Result:
input-interface: WAN(vrfid:0)
input-status: up
input-line-status: up
output-interface: Inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005626461aa854 flow (NA)/NA

 

 

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rtarson
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2023 09:36 AM

I'm a majooooor dum dum, I didnt deploy uuuugggghhhhh.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎04-26-2023 07:22 AM - edited ‎04-26-2023 07:22 AM

You have static NAT for SSH' 

So only SSH to the mapped IP not to real IP.

Please SSH to mapped IP and share packet-tracer of this process here 

0 Helpful

Go to solution
rtarson
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2023 07:35 AM

This is with the destination set to the Static NAT:

 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,WAN) source static SSHServer SSHServer_ExternalNAt
Additional Information:
NAT divert to egress interface Inside(vrfid:0)
Untranslate 176.xx.xx.xx/22 to 10.0.0.183/22

Phase: 2
Type: ECMP load balancing
Subtype: 
Result: ALLOW
Config:
Additional Information:
ECMP load balancing
Found next-hop 176.xx.xx.73 using egress ifc  WAN(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc WAN any ifc Inside any rule-id 268435118 
access-list CSM_FW_ACL_ remark rule-id 268435118: ACCESS POLICY: AccessPolicy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435118: L7 RULE: GeoBlock-Inbound
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (Inside,WAN) source static SSHServer SSHServer_ExternalNAT
Additional Information:
Static translate 74.106.xx.14/22 to 74.106.xx.14/22

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,WAN) source static SSHServer SSHServer_ExternalNAT
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 3816579539, packet dispatched to next module

Phase: 13
Type: EXTERNAL-INSPECT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 14
Type: SNORT
Subtype: 
Result: DROP
Config:
Additional Information:
Snort Trace:
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435115, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435116, rule_action:2, rev id:797914468, ruleMatch flag:0x5 
MidRecovery data queried. Got session typSnort Verdict: (black-list) black list this flow

Result:
input-interface: WAN(vrfid:0)
input-status: up
input-line-status: up
output-interface: Inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor, Drop-location: frame 0x0000562647048602 flow (NA)/NA

Go to solution
MHM Cisco World
VIP
VIP
In response to rtarson

‎04-26-2023 07:43 AM

It clear NOW

the snort drop ssh' instead of allow can checge the action to fastpath.

Go to solution
rtarson
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2023 07:50 AM

Thank you for the tip, what does that mean for me lol? Sorry I'm new to Cisco FWs just trying to piece it together lol.

0 Helpful

Go to solution
rtarson
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2023 08:30 AM

Also is my Access Control Policy correct or should the destination be set to the Static NAT of the server?

 

0 Helpful

Go to solution
rtarson
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2023 09:36 AM

I'm a majooooor dum dum, I didnt deploy uuuugggghhhhh.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-26-2023 09:48 AM

First you are welcome' 

And we all one day be some dum' 

Welcome to party lol

Have a nice day friend.

MHM

0 Helpful
Customers Also Viewed These Support Documents