Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1569
Views
0
Helpful
3
Replies

FTD 1010 appliance

Timothy Patrick
Level 1
Level 1

‎04-17-2020 08:57 PM

Hello,  I  am new to the Firepower Threat Defense products. I am trying to set up an external NAT that will forward ports to my internal network. I have tested the NAT rules on high ports such inside-x.x.x.x:8000 <-->outside-x.x.x.x:8000 and it seems to work. I  stood up a python webserver listening on port 8000 and was able to connect to it from an external source. If I  change the inside port number to 22,443,80 and do the same NAT inside-x.x.x.x:22 <-->outside-x.x.x.x:8000 and change the access rule to allow those ports it doesn't even see the port opened externally using NMAP. I  have used different internal hosts for testing (Linux box, Switch,Router) both exhibit the same behavior. I  am trying to find a good way to view the logs while I  connect, the syslog data shows allow but I  am wondering if its possibly snort that is blocking the connection somehow. Any help would be appreciated  

I  am using the following Model with the listed Code

Model                     : Cisco Firepower 1010 Threat Defense (78) Version 6.6.0 (Build 90)

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎04-18-2020 02:53 AM

Hi,
How is your Acess Control Policy (ACP) configured?
In the ACP you need to use the real port (22) rather than the mapped (8000).

Please provide a screenshot of the relevant ACP and NAT rules.

HTH
0 Helpful

Timothy Patrick
Level 1
Level 1
In response to Rob Ingram

‎04-18-2020 11:12 AM

Here are the NAT rules

 

The external nat for 7722 going to the internal port of 8023 works

 

10_45_39.jpg

 

Here are the ACLs

11_10_54.jpg

 

Here are the internal ports opened on the test box

 

10_51_00.jpg

 

PORT     STATE SERVICE

8023/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

 nmap x.x.x.x -p 22

 

Starting Nmap 7.50 ( https://nmap.org ) at 2020-04-18 10:51 MST

Host is up (0.75s latency).

 

PORT   STATE SERVICE

22/tcp open  ssh

 

When testing if ports are opened from the outside

10_51_12.jpg

11_00_47.jpg

0 Helpful

Timothy Patrick
Level 1
Level 1
In response to Rob Ingram

‎04-25-2020 11:35 AM

Where you able to review the ACP?

0 Helpful
Review Cisco Networking for a $25 gift card
Top