Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
2
Helpful
20
Replies

Cisco 1010 port forwarding issue

Go to solution
saids3
Level 1
Level 1

‎03-02-2023 06:24 PM

Upgraded from ASA - 1010 firepower - Not able to get port forwarding correctly! 

please see attached Access list and NAT - 

 

firepower# show run nat
nat (inside_2,outside) source static DSM-OVPN interface service _|NatOrigSvc_07ad74-b908-11ed-aee3-6da23dcef6e5 _|NatMappedSvc_0c77ad74-b908-11ed-aee3-6da23ef6e5
nat (inside_8,outside) source dynamic any-ipv4 interface
nat (inside_7,outside) source dynamic any-ipv4 interface
nat (inside_6,outside) source dynamic any-ipv4 interface
nat (inside_5,outside) source dynamic any-ipv4 interface
nat (inside_4,outside) source dynamic any-ipv4 interface
nat (inside_3,outside) source dynamic any-ipv4 interface
nat (inside_2,outside) source dynamic any-ipv4 interface
nat (guest-wifi,outside) source static any-ipv4 interface
firepower#

firepower# packet-tracer input outside tcp 8.8.8.8 1194 10.206.167.131 1194

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.206.167.131 using egress ifc inside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

firepower#

Preview file
166 KB
Preview file
120 KB
0 Helpful
20 Replies 20

Go to solution
saids3
Level 1
Level 1
In response to manabans

‎03-02-2023 07:16 PM

firepower# packet-tracer input outside tcp 8.8.8.8 1194 192.168.100.1 1194 de$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.100.1 using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e37dc0, priority=12, domain=permit, deny=true
hits=162, user_data=0x14ff18ecb480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

firepower#

0 Helpful

Go to solution
saids3
Level 1
Level 1
In response to manabans

‎03-02-2023 07:12 PM

firepower# packet-tracer input outside tcp 8.8.8.8 1194 192.168.100.1 1194 det$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.100.1 using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e37dc0, priority=12, domain=permit, deny=true
hits=161, user_data=0x14ff18ecb480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

0 Helpful

Go to solution
manabans
Cisco Employee
Cisco Employee
In response to saids3

‎03-02-2023 07:19 PM

If possible, help me with the below outputs to understand this better,

show nat detail
show ip
0 Helpful

Go to solution
saids3
Level 1
Level 1
In response to manabans

‎03-02-2023 07:25 PM

 
Preview file
2 KB
Preview file
18 KB
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎03-03-2023 03:22 AM

put the nat rule in manual nat.

nat(inside2,outside) after-auto source static DSM-OVPN interface

 

create the ACL on both direction from inside zone to outside zone where inside zone network will be your DMS-OVPN to any-ipv4 outsidezone.

 

another rule from outsidezone to insidezone where anyipv4 outside to DSM-OVPN in insidezone.

please do not forget to rate.

Go to solution
saids3
Level 1
Level 1
In response to Sheraz.Salim

‎03-03-2023 03:35 AM

@Sheraz.Salim 

Worked perfectly! Thank you for the instruction very helpfull and clear ---- 

great work! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card