cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1934
Views
2
Helpful
20
Replies

Cisco 1010 port forwarding issue

saids3
Level 1
Level 1

Upgraded from ASA - 1010 firepower - Not able to get port forwarding correctly! 

please see attached Access list and NAT - 

 

firepower# show run nat
nat (inside_2,outside) source static DSM-OVPN interface service _|NatOrigSvc_07ad74-b908-11ed-aee3-6da23dcef6e5 _|NatMappedSvc_0c77ad74-b908-11ed-aee3-6da23ef6e5
nat (inside_8,outside) source dynamic any-ipv4 interface
nat (inside_7,outside) source dynamic any-ipv4 interface
nat (inside_6,outside) source dynamic any-ipv4 interface
nat (inside_5,outside) source dynamic any-ipv4 interface
nat (inside_4,outside) source dynamic any-ipv4 interface
nat (inside_3,outside) source dynamic any-ipv4 interface
nat (inside_2,outside) source dynamic any-ipv4 interface
nat (guest-wifi,outside) source static any-ipv4 interface
firepower#

firepower# packet-tracer input outside tcp 8.8.8.8 1194 10.206.167.131 1194

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.206.167.131 using egress ifc inside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

firepower#

20 Replies 20

firepower# packet-tracer input outside tcp 8.8.8.8 1194 192.168.100.1 1194 de$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.100.1 using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e37dc0, priority=12, domain=permit, deny=true
hits=162, user_data=0x14ff18ecb480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

firepower#

firepower# packet-tracer input outside tcp 8.8.8.8 1194 192.168.100.1 1194 det$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.100.1 using egress ifc outside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e37dc0, priority=12, domain=permit, deny=true
hits=161, user_data=0x14ff18ecb480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

If possible, help me with the below outputs to understand this better,

show nat detail
show ip

 

put the nat rule in manual nat.

nat(inside2,outside) after-auto source static DSM-OVPN interface

 

create the ACL on both direction from inside zone to outside zone where inside zone network will be your DMS-OVPN to any-ipv4 outsidezone.

 

another rule from outsidezone to insidezone where anyipv4 outside to DSM-OVPN in insidezone.

please do not forget to rate.

@Sheraz.Salim 

Worked perfectly! Thank you for the instruction very helpfull and clear ---- 

great work! 

Review Cisco Networking for a $25 gift card