Solved: Re: Cisco 1010 port forwarding issue

saids3 · ‎03-02-2023

Upgraded from ASA - 1010 firepower - Not able to get port forwarding correctly!

please see attached Access list and NAT -

firepower# show run nat
nat (inside_2,outside) source static DSM-OVPN interface service _|NatOrigSvc_07ad74-b908-11ed-aee3-6da23dcef6e5 _|NatMappedSvc_0c77ad74-b908-11ed-aee3-6da23ef6e5
nat (inside_8,outside) source dynamic any-ipv4 interface
nat (inside_7,outside) source dynamic any-ipv4 interface
nat (inside_6,outside) source dynamic any-ipv4 interface
nat (inside_5,outside) source dynamic any-ipv4 interface
nat (inside_4,outside) source dynamic any-ipv4 interface
nat (inside_3,outside) source dynamic any-ipv4 interface
nat (inside_2,outside) source dynamic any-ipv4 interface
nat (guest-wifi,outside) source static any-ipv4 interface
firepower#

firepower# packet-tracer input outside tcp 8.8.8.8 1194 10.206.167.131 1194

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.206.167.131 using egress ifc inside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

firepower#

Sheraz.Salim · ‎03-03-2023

put the nat rule in manual nat.

nat(inside2,outside) after-auto source static DSM-OVPN interface

create the ACL on both direction from inside zone to outside zone where inside zone network will be your DMS-OVPN to any-ipv4 outsidezone.

another rule from outsidezone to insidezone where anyipv4 outside to DSM-OVPN in insidezone.

please do not forget to rate.

View solution in original post

Kasun Bandara · ‎03-02-2023

as per the packet tracer output, its blocked in ACL. check ACLs again to verify traffic is allowed for required source,destination and ports

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

saids3 · ‎03-02-2023

Here are my access list rules - still confused! if you would point out the issue?

MHM Cisco World · ‎03-02-2023

first correct your packet tracer to see where is problem

firepower# packet-tracer input inside_X tcp 10.206.167.131 1194 8.8.8.8 1194 detail <<- X there are many inside interface select one that 10.206.167.x connect to it

saids3 · ‎03-02-2023

firepower# packet-tracer input inside_2 tcp 10.206.167.131 1194 8.8.8.8 1194 d$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff25a4f120, priority=1, domain=permit, deny=false
hits=882129, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside_2, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.100.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_2 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
object-group service |acSvcg-268435457
service-object ip
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e2d290, priority=12, domain=permit, trust
hits=16631, user_data=0x14ff18eca580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside_2(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=outside(vrfid:0), vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_2,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 10.206.167.131/1194 to 192.168.100.4/1194
Forward Flow based lookup yields rule:
in id=0x14ff25d3d590, priority=6, domain=nat, deny=false
hits=16630, user_data=0x14ff25d39030, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff23ec6500, priority=0, domain=nat-per-session, deny=false
hits=28316, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff250c4fa0, priority=0, domain=inspect-ip-options, deny=true
hits=19089, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=any

Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_2 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
object-group service |acSvcg-268435457
service-object ip
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e2d290, priority=12, domain=permit, trust
hits=16631, user_data=0x14ff18eca580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside_2(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=outside(vrfid:0), vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_2,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 10.206.167.131/1194 to 192.168.100.4/1194
Forward Flow based lookup yields rule:
in id=0x14ff25d3d590, priority=6, domain=nat, deny=false
hits=16631, user_data=0x14ff25d39030, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff23ec6500, priority=0, domain=nat-per-session, deny=false
hits=28316, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff250c4fa0, priority=0, domain=inspect-ip-options, deny=true
hits=19089, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=any

Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_2 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
object-group service |acSvcg-268435457
service-object ip
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e2d290, priority=12, domain=permit, trust
hits=16631, user_data=0x14ff18eca580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside_2(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=outside(vrfid:0), vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 12
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_2,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 10.206.167.131/1194 to 192.168.100.4/1194
Forward Flow based lookup yields rule:
in id=0x14ff25d3d590, priority=6, domain=nat, deny=false
hits=16631, user_data=0x14ff25d39030, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff23ec6500, priority=0, domain=nat-per-session, deny=false
hits=28317, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff250c4fa0, priority=0, domain=inspect-ip-options, deny=true
hits=19089, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=any

Phase: 15
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside_2 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
object-group service |acSvcg-268435457
service-object ip
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e2d290, priority=12, domain=permit, trust
hits=16631, user_data=0x14ff18eca580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=inside_2(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=outside(vrfid:0), vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 16
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_2,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Dynamic translate 10.206.167.131/1194 to 192.168.100.4/1194
Forward Flow based lookup yields rule:
in id=0x14ff25d3d590, priority=6, domain=nat, deny=false
hits=16631, user_data=0x14ff25d39030, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 17
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff23ec6500, priority=0, domain=nat-per-session, deny=false
hits=28317, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 18
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff250c4fa0, priority=0, domain=inspect-ip-options, deny=true
hits=19090, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=any

Phase: 19
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside_2,outside) after-auto source dynamic any-ipv4 interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x14ff25d3e220, priority=6, domain=nat-reverse, deny=false
hits=15736, user_data=0x14ff25202590, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside_2(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 20
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14ff23ec6500, priority=0, domain=nat-per-session, deny=false
hits=28318, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 21
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14ff259205c0, priority=0, domain=inspect-ip-options, deny=true
hits=27116, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 22
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 97942, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 23
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.100.1 using egress ifc outside(vrfid:0)

Phase: 24
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 192.168.100.1 on interface outside
Adjacency :Active
MAC address e04b.a675.7d07 hits 322 reference 122

Result:
input-interface: inside_2(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

firepower#

MHM Cisco World · ‎03-02-2023

No issue at all

All phase allow there is no drop

saids3 · ‎03-02-2023

Do I need to make any changes to Access List? Still not able to make the port forwarding?

MHM Cisco World · ‎03-02-2023

According to packet tracer there is no issue, what exactly you face in real traffic?

saids3 · ‎03-02-2023

port forwarding was working on ASA5506 but since I replace it with 1010 stopped working.

I have attached old configuration ASA

MHM Cisco World · ‎03-02-2023

You use same IP when merge from ASA to FPR' if Yes

Clear arp and mac address table in connect devices'

I think these table still show mac of old asa

saids3 · ‎03-03-2023

I have a cisco switch, ISP, and NAS - restored but still same issue not able to port forwarding

since I installed the new 1010 IP changed from 192.XXX.XXX.3 to 192.XXX.XXX.4

also, I have forwarded the port from the ISP Provider.

manabans · ‎03-02-2023

It is important to ensure that the packet tracer we are using is running the correct one when we want to confirm if the NAT configured gets hit.
nat (inside_2,outside) source static DSM-OVPN interface service _|NatOrigSvc_07ad74-b908-11ed-aee3-6da23dcef6e5 _|NatMappedSvc_0c77ad74-b908-11ed-aee3-6da23ef6e5

packet-tracer input outside tcp 8.8.8.8 1194 <outside_interface_IP> 1194 detail

Assuming 10.206.167.131 is private, this could be the server IP address that is behind inside_2. Please correct me if my interpretation is incorrect.

saids3 · ‎03-02-2023

10.206.167.131 is a NAS connected to a cisco switch I need to utilize Open VPN so I have to forward the port UDP 1194. My provider ISP is 192.168.100.1 ---------------

DSM-OVPN - 10.206.167.131

saids3 · ‎03-02-2023

firepower#
firepower# packet-tracer input outside tcp 8.8.8.8 1194 10.206.167.131 1194 de$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.206.167.131 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14ff26e37dc0, priority=12, domain=permit, deny=true
hits=157, user_data=0x14ff18ecb480, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp= 0x0, nsg_id=none
input_ifc=any, output_ifc=any

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005573dbf0816f flow (NA)/NA

manabans · ‎03-02-2023

Before the Access-list, the UN-NAT phase should be seen. Use the below packet tracer and share the output please,

packet-tracer input outside tcp 8.8.8.8 1194 <outside_interface_IP> 1194 detail

phase