FPR1010 FDM NAT / Policy (not working) - Page 3

TheGoob · ‎04-22-2022

Hello

So I am having some issues deploying NAT...

My FPR1010 has a WAN (outside) IP 207.108.121.X which has a LAN (inside) 192.168.1.0.

I have NAT on INSIDE for an Internal Network (connected to a SG550) which is 192.168.5.1-192.168.5.55

The 192.168.1.0 (LAN/INSIDE) on FPR1010 has a static IP on SG550 GE1/1 of 192.168.1.2 and the SG 192.168.5.1-192.168.5.55 uses that for a PBR to access Internet, so everything 192.168.5.1-192.168.5.55 communicates with FPR via 192.168.1.2. Why PBR? Cause 192.168.5.56-192.168.5.100 uses different PBR for it's WAN.

Most of this is irrelevant My issue is that a device on 192.168.5.43 (using 192.168.1.2 to access Internet which uses 207.108.121.x for WAN) has an SSH Port 66. I want any device on "outside" to be able to come in and on Port 66 be directed to that 192.168.5.43 Device.

I created a NAT "outside any 66 inside 192.168.5.43 66" as well as a Policy allowing incoming from outside to 192.168.5.43 port 66 but I keep getting a rejection when trying to access it from outside.

I am clearly missing something and for now have no config to show you but maybe these words and description can start a narrative.

I am hoping to not get involved with why PBR, why internal 192.168.5.0 when I have 192.168.1.0 etc. Everything else works fine, I just need this to work.

MHM Cisco World · ‎04-28-2022

meaning your FTD now allow port 66 but the NAT must change to be from 22 to 66

if you use known port 22 for SSH.

TheGoob · ‎04-28-2022

I do not follow.. And really I think I am making this last longer than it needs to be.
My SSH Server is using Port 66. My NAT/ACL is set to use Port 66. Windows connects to 192.168.5.43 -p 66 just fine. I actually made an object for Port 66 and am using that.

There is nothing Port 22 on any of my devices… On the Client I am using remotely I am also setting Port 66.

MHM Cisco World · ‎04-28-2022

If you use port 22

SSH xx.x.x. <-by default use port 22

If you ssh use 66

SSH x.x.x.x -p 66 <-no more use 22 and instead use 66

then now you can access and all fine. No need any other change.

Mark this issue as solved.

Good luck freind

TheGoob · ‎04-28-2022

I think I have communicated my meaning wrong.

On the LOCAL LAN (Windows 192.168.5.3 and SSH Server 192.169.5.43) I can SSH into the Server on Port 66. This tells me the Server is “open”. But from the OUTSIDE I still can not nor could never SSH in on Port 66. You have seen both my ACL and NAT and they show all should work, and yet not.
I really am at a loss as to what to do next and I feel horrible for constantly coming back in response with a “not working” after all

your help.

MHM Cisco World · ‎04-28-2022

...

MHM Cisco World · ‎04-28-2022

...

TheGoob · ‎04-28-2022

I will do this when I get back home within 30

minutes but being that Windows (192.168.5.3 and SSH Server 192.168.5.53) are on the same Subnet, wouldn't Routing Logic bypass even exiting the local Subnet and not even try to connect externally then back internally when both client and server are internal?

I’ll try it regardless in case it’s results tell us something.

TheGoob · ‎04-28-2022

Well I do not know what it means but;

192.168.5.3 ssh 192.168.5.43 -p 66 works fine

192.168.5.3 ssh x.x.x.182 -p 66 connection time out

MHM Cisco World · ‎04-28-2022

Now our nat is ok no issue

In acl we used server ip instead of outside ip, this must change.

You will ask why what difference??

Cisco fw change flow traffic, in some ver the nat done before acl here we use server ip

And other ver acl done before nat here mapped ip "outside ip" must be used.

TheGoob · ‎04-28-2022

I will be true to you, I am sort of lost as to what you are saying... I am unsure what to change.

I am trying to look at this with open mind but not making sense.

Ugh. I was so used to the ASA its crazy I can't get this!

omvssh

Allow

MHM Cisco World · ‎04-30-2022

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html

please refer for this guide how config Twice NAT
notice these two point in guide
1-the rule must confine making the twice NAT is prefer than Dynamic NAT
2-the two way ACL.

MHM Cisco World · ‎04-30-2022

All you config is OK still there is only one thing may drop traffic

for ACL your last config is OK
for nat you config is OK except

this line is before your PAT port 66
so can you delete it and re-add again
when we do this we push it down below the PAT 66.

then do test again.

192.168.5.3 ssh x.x.x.182 -p 66

TheGoob · ‎04-30-2022

My friend... It does not work. Everything you say makes sense.. But this just is not working.

Like I mentioned before...

FPR1010 (WAN) x.x.x.182

FPR1010 (LAN/INSIDE) 192.168.1.0

route 192.168.5.0 192.168.1.2

SG500X

GE/1/1 192.168.1.2

vlan1 192.168.5.0

192.168.5.1-192.168.5.64

Server is 192.168.5.43.

Something is not letting it through... SG has no configuration aside from static route 0.0.0.0 0.0.0.0 192.168.1.2 for the 192.168.5.0 vlan.

My Internet is a Block of 8 STATIC IP's, 6 usable. FPR uses the .182.

I have a x.x.x.180 on a Machine that is 192.168.5.55 that has NAT x.x.x.180 192.168.5.55 and have an ACL Port 67 ssh and from OUTSIDE I can connect.... For some reason my STATIC 1 to 1 NAT is working but when I try to add an acl or nat from an inside to the WAN IP (.182) it won't do it.

For fun, I make 192.168.5.43 a 1 to 1 NAT to x.x.x.177 and opened port 66, WORKS FINE. it HAS to do with the FPR WAN IP or the 192.168.1.0 talking to the 192.168.5.0 or whatever, I do not know.

For now I am kind of over it.. I will just ssh to my .180 (192..168.5.55) then ssh again to the 192.168.5.43 and it works. Ghetto like.

MHM Cisco World · ‎04-30-2022

in SG 0.0.0.0 0.0.0.0 192.168.1.2<- this next-hop is the Inside_2 interface IP ??

TheGoob · ‎04-30-2022

No.

inside_2,3,4,5,6,7 are all part of the same vlan, 192.168.1.0, but I made GE1/1 on the SG 192.168.1.2 so 192.169.5.0 (SG vlan 1) had a route to the internet.