02-15-2020 02:41 PM - edited 02-21-2020 09:55 AM
I have a FTD2130 HA pair running firmware 6.4.0.1.
I have some public facing servers configured with 1to1 static NAT rules on the FTD and associated Access Control Security Policy rules, for example:
However when I do a quick NMAP port scan from Internet against IP 1.2.3.4, I see more ports (such as 80, 443, 25 etc.) than just 22/SSH I allowed...
If I changed the access control policy rule to specific host 4.5.6.7 as the source without changing the NAT rule, the scan result is the same as showing port 22/SSH beside others... This specified source host IP is not the scanner IP... Does it mean specified source IP filtering does not even work in the Access policy rule?
If I kept the change on the access policy rule and change the 1to1 NAT rule to add the port 22 as the original source port and translated destination port, the scan shows server unreachable...This might be the FTD blocks the frequent scans...
So is this expected behaviour for FTD 1to1 NAT OR I configured the Access Policy and/or NAT rule incorrectly? Trying to answer the discoveries from an auditor...
02-15-2020 07:19 PM - edited 02-15-2020 07:26 PM
Without seeing your list of Access Control Policy (ACP) entries it's impossible to say if your configuration is correct or not. You can always check your rule logic from the cli with the packet-tracer command. For example:
packet-tracer input outside tcp 8.8.8.8 1025 1.2.3.4 22
That will show the results for incoming traffic on tcp/22 (ssh). Then try it again for one of the other ports like 80.
You should never set the source and destination port to 22 as that's not generally how tcp connections work. When a client initiates a connection the source port is something in the ephemeral range (>1024 to 65535).
I can say that FTD definitely doesn't allow traffic through if your policy is set to block it. Order of policy entries is important though as is your default policy (in the bottom right of the ACP page).
02-16-2020 04:42 AM
Thanks! I should clarify that NAT rule is bidirectional and is set with source as the server private IP and translated to Public IP when sending outbound to Internet...I updated in my post as well.
maybe that’s the “issue” and I should really configure the NAT rule as Internet inbound direction. But even so, I am still puzzled when port scan reveals other ports besides 22...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide