04-28-2024 07:28 AM
We have deployed a vFTD on the Azure environment. The configuration of the firewall is as follows.
inside interface ip : 10.2.2.4/24
outside interface ip : 10.2.1.4/24
internal server ip : 10.0.0.6
Also the firewall is able to ping to the server from its inside interface.
Now we want to configure the server to be accessible from the internet. So we have created a NAT rule for it.
TCP PAT from inside:10.0.0.6 8443-8443 to outside:10.2.1.4 8443-8443
And also created a Access rule to allow connections from outside towards this server. But still we are unable to access the server from outside.
Below packet tracer snap.
> packet-tracer input outside tcp 1.1.1.1 8443 10.0.0.6 8443
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 25917 ns
Config:
Additional Information:
Found next-hop 10.2.2.1 using egress ifc inside(vrfid:0)
Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 0
Destination Object Group Match Count: 1
Object Group Search: 0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 244 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc outside any ifc inside object Prod_KeyClock object-group 8443_port rule-id 268434437
access-list CSM_FW_ACL_ remark rule-id 268434437: ACCESS POLICY: Default Access Control Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434437: L7 RULE: Server_Access
object-group service 8443_port tcp
port-object eq 8443
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 244 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 244 ns
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 244 ns
Config:
Additional Information:
Phase: 7
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 18093 ns
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Elapsed time: 4890 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 49876 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558b65312829 flow (NA)/NA
Also a public IP has been assigned to the firewall in Azure.
Solved! Go to Solution.
05-28-2024 04:11 AM
Hi everyone,
Thanks for you help, but we have figured out the solution. Actually the NAT rule for the Azure firewall has to configure differently compared to the on-prem firewall. Below NAT rule I have applied and worked for me.
04-28-2024 09:18 AM
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
you have DROP here, can you post relevant config NAT and ACL to look
check some example :
04-28-2024 09:25 AM
Wrong packet tracer
> packet-tracer input outside tcp 1.1.1.1 12345 10.2.1.4 8443 detail
Share about of above
MHM
04-28-2024 09:32 AM
> packet-tracer input outside tcp 1.1.1.1 12345 10.2.1.4 8443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 21516 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate 10.2.1.4/8443 to 10.0.0.6/8443
Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 0
Destination Object Group Match Count: 1
Object Group Search: 0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 195 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp ifc outside any ifc inside object Prod_KeyClock object-group 8443_port rule-id 268434437
access-list CSM_FW_ACL_ remark rule-id 268434437: ACCESS POLICY: Default Access Control Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434437: L7 RULE: Server_Access
object-group service 8443_port tcp
port-object eq 8443
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Static translate 1.1.1.1/12345 to 1.1.1.1/12345
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:
Phase: 8
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 14670 ns
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 4890 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Phase: 10
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 31785 ns
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 489 ns
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 12714 ns
Config:
Additional Information:
New flow created with id 1360, packet dispatched to next module
Phase: 14
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 42543 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 15
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 229552 ns
Config:
Network 0, Inspection 0, Detection 0, Rule ID 268434437
Additional Information:
Starting rule matching, zone 1 -> 2, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268434437 - Allow
Phase: 16
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 19534 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)
Phase: 17
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 5868 ns
Config:
Additional Information:
Found next-hop 10.2.2.1 using egress ifc inside(vrfid:0)
Phase: 18
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 1467 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.2.2.1 on interface inside
Adjacency :Active
MAC address 1234.5678.9abc hits 26 reference 1
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 386003 ns
By the way which you said me the result is showing me allow. So what could be the reason that the server is not accessible from outside.
04-28-2024 09:40 AM
Do test again and share result' some times packet tracer need to run twice to show where packet drop.
Also
Do show arp
Check is IP-MAC is correct or not
Last point the next-hop is in different subnet than server ???
Next-hop 10.2.2.1 on interface inside
Adjacency :Active
MAC address 1234.5678.9abc hits 26 reference 1
04-28-2024 09:50 AM
Have run the test again and this time also the result showed success.
Also I had done show arp but didn't got any arp entry for that IP. But I am able to ping 10.0.0.6 from the firewall.
> ping interface inside 10.0.0.6
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
> show arp
outside 10.2.1.1 1234.5678.9abc 11273
inside 10.2.2.1 1234.5678.9abc 3075
>
The next hop to the server network is in the same network of the inside interface network.
> show route 10.0.0.6
Routing entry for 10.0.0.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.2.2.1, via inside
Route metric is 0, traffic share count is 1
>
04-28-2024 10:15 AM
This inside L3 device 10.2.2.1 have defualt route toward FTD?
MHM
04-28-2024 10:21 AM
yes it has default route towards firewall
04-28-2024 10:29 AM
> packet-tracer input inside tcp 10. 0.0.6 8443 1.1.1.1 12345 details
There nothing wrong as I see form OUT to IN
Check from IN to OUT
04-28-2024 10:34 AM
> packet-tracer input inside tcp 10.0.0.6 8443 1.1.1.1 12345 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 13203 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f89c01be30, priority=1, domain=permit, deny=false
hits=239, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 17604 ns
Config:
Additional Information:
Found next-hop 10.2.1.1 using egress ifc outside(vrfid:0)
Phase: 3
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 1
Object Group Search: 1
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 195 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc inside object-group FMC_INLINE_src_rule_268434433 ifc outside any rule-id 268434433
access-list CSM_FW_ACL_ remark rule-id 268434433: ACCESS POLICY: Default Access Control Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434433: L7 RULE: Internet-rULE
object-group network FMC_INLINE_src_rule_268434433(hitcnt=138, id=4026531842)
network-object object Hobasa_Prod_Vnet_Network_1(hitcnt=3)
network-object object Insideinterface_Network(hitcnt=135)
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x14f89c7653e0, priority=12, domain=permit, deny=false
hits=2, user_data=0x14f8e9de1200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=240.0.0.2, mask=255.255.255.255, port=0, tag=any, ifc object-group id 973
dst ip/id=240.1.0.2, mask=255.255.255.255, port=0, tag=any, ifc=outside(vrfid:0),
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f89c1cd6c0, priority=7, domain=conn-set, deny=false
hits=2, user_data=0x14f89c1c37d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=any
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Static translate 10.0.0.6/8443 to 10.2.1.4/8443
Forward Flow based lookup yields rule:
in id=0x14f89c045d90, priority=6, domain=nat, deny=false
hits=1, user_data=0x14f89c3277f0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=10.0.0.6, mask=255.255.255.255, port=8443, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f8ffa64760, priority=0, domain=nat-per-session, deny=false
hits=583, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 195 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f89c025c80, priority=0, domain=inspect-ip-options, deny=true
hits=147, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=any
Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 14181 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14f8ffe6ae30, priority=70, domain=qos-per-class, deny=false
hits=37, user_data=0x14f89c06a810, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 6357 ns
Config:
nat (inside,outside) source static Prod_KeyClock interface service SVC_4294975244 SVC_4294975244
Additional Information:
Forward Flow based lookup yields rule:
out id=0x14f89d7b7680, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x14f89c6058e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.0.0.6, mask=255.255.255.255, port=8443, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=inside(vrfid:0), output_ifc=outside(vrfid:0)
Phase: 11
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 27384 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14f8ffe6ae30, priority=70, domain=qos-per-class, deny=false
hits=38, user_data=0x14f89c06a810, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 489 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14f8ffa64760, priority=0, domain=nat-per-session, deny=false
hits=585, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14f8fff71c30, priority=0, domain=inspect-ip-options, deny=true
hits=206, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=outside(vrfid:0), output_ifc=any
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 10758 ns
Config:
Additional Information:
New flow created with id 1526, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 15
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 38142 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 16
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 348582 ns
Config:
Network 0, Inspection 0, Detection 0, Rule ID 268434433
Additional Information:
Starting rule matching, zone 2 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268434433 - Allow
Phase: 17
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 24540 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)
Phase: 18
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 4890 ns
Config:
Additional Information:
Found next-hop 10.2.1.1 using egress ifc outside(vrfid:0)
Phase: 19
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 1956 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.2.1.1 on interface outside
Adjacency :Active
MAC address 1234.5678.9abc hits 13 reference 1
Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 509061 ns
>
This also shows as allow.
Is there anything that I have to do at Azure end?
04-28-2024 11:06 AM
> show arp
outside 10.2.1.1 1234.5678.9abc 11273
inside 10.2.2.1 1234.5678.9abc 3075
Both use same mac if you not change it!!
MHM
05-28-2024 04:11 AM
Hi everyone,
Thanks for you help, but we have figured out the solution. Actually the NAT rule for the Azure firewall has to configure differently compared to the on-prem firewall. Below NAT rule I have applied and worked for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide