Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1872
Views
5
Helpful
3
Replies

ACL Support on FTD1120 Using FDM

Go to solution
vtxchris
Level 1
Level 1

‎02-20-2020 07:43 AM

I am trying to configure a FTD1120 and am having trouble with the access list commands. We're not able to configure a management VM, so we're using the 1120's onboard Device Manager. Right now we're just trying to get access out to the Internet and ports 25, 587 and 443 into the internal Microsoft Exchange server. So it's a pretty simple config, but we're having a lot of trouble getting it to work. Coming from the ASA world, we'd normally allow those ports directly in the ACL, setting it up like this:

 

HC ACL.png

 

 

 

But that fails when we try to same thing on the 1120. Using the image below for reference, we've tried adding the 3 ports to the PORTS section on the SOURCE side, on the DESTINATION side, and on both sides, specifying the internal Exchange server in the DESTINATION NETWORKS section. With the ports added to both sides, or to only the SOURCE side, we can't get email or web to work at all. If we add the ports only on the DESTINATION side email and web both work, but I don't think it's actually filtering anything, because if I remove HTTPS from the DESTINATION side I still have web access to the server. So we're having no luck when trying to allow specific ports through the 1120. (We have tried this on a few different test networks, so that's why some of the object names are different in the screen shots)

 

LYACL Not working.png

We did see success, though, by not adding anything to the PORTS section of either side but adding them as APPLICATIONS instead. We added HTTP, HTTPS, SMTP and SMTPS to the APPLICATIONS section on the DESTINATION side, and both email and web access started working. Furthermore it seems to be actually firewalling those protocols, as when we removed the HTTP applications, email continues to work but web access fails. Of note is that we also had to add this ACL rule ABOVE the auto-generated one.  If we added it below it would not work.

 

ESACL Apps working.png

 

So here's my question - is this actually a valid config? Obviously I need to make sure this server is secure, and it doesn't make sense to me that we can't get this working by allowing the specific ports. But if this is the correct way to do things in the FTD world, that's fine, I just need confirmation. If it's not and I should be able to do this with specific ports, can someone help me with the config? Here also is a pic of the current NAT statement in case it's applicable.  It's notable again that we also had to add this as a manual NAT statement above the auto-generated one in order for it to work. Thanks in advance!

 

ESNAT.png

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-20-2020 08:07 AM

Hi,
You wouldn't specify the source port, as tcp uses a random source port. You would normally just specify the destination port. Remove the source ports from the configuration in your 2nd screenshot, that's what normally I'd expect for inbound traffic.

As to why removing https still permitted web access to the server that would need troubleshooting, I assume the policy pushed and you don't have a default action of permit on the policy?

Run "system support firewall-engine-debug" from the CLI of the FTD and confirm which rule traffic was actually matching.

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎02-20-2020 08:07 AM

Hi,
You wouldn't specify the source port, as tcp uses a random source port. You would normally just specify the destination port. Remove the source ports from the configuration in your 2nd screenshot, that's what normally I'd expect for inbound traffic.

As to why removing https still permitted web access to the server that would need troubleshooting, I assume the policy pushed and you don't have a default action of permit on the policy?

Run "system support firewall-engine-debug" from the CLI of the FTD and confirm which rule traffic was actually matching.

HTH

Go to solution
vtxchris
Level 1
Level 1
In response to Rob Ingram

‎02-25-2020 09:01 AM

Thanks, I got it back at the customer site and strangely had better luck. Per your advice I added the ports only to the destination side and removed the applications.  I left the source side as any ports, and left both this rule and the NAT rule above the implicit ones. Mail and HTTPS started flowing fine, and I was able to confirm the filtering by removing and re-adding HTTPS.  So I think we're in good shape - I just need to get the licenses applied and the VPNs recreated.

 

I am curious, if you have any more information, about the purpose of the Applications section in the ACL rule.  Can you give me any info as to what that should be used for?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to vtxchris

‎02-25-2020 09:29 AM

Good to hear it's working.
Defining an application in the ACP allows per-application granularity rather than defining the rule per-port.

HTH
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card