Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1192
Views
0
Helpful
2
Replies

FTD 1to1 static NAT related question

SIMMN
Spotlight
Spotlight

‎02-15-2020 02:41 PM - edited ‎02-21-2020 09:55 AM

I have a FTD2130 HA pair running firmware 6.4.0.1.

 

I have some public facing servers configured with 1to1 static NAT rules on the FTD and associated Access Control Security Policy rules, for example:

  • Source Server#1 192.168.100.100, destination ANY <-Bi-Directional NAT-> Source Public IP 1.2.3.4, destination original ANY
  • Allow US Public IP addresses access Server#1 on port 22/SSH from Internet.
  • The Default Action for the Access Control Policy is set to "Access Control: Block All Traffic".

However when I do a quick NMAP port scan from Internet against IP 1.2.3.4, I see more ports (such as 80, 443, 25 etc.) than just 22/SSH I allowed...

 

If I changed the access control policy rule to specific host 4.5.6.7 as the source without changing the NAT rule, the scan result is the same as showing port 22/SSH beside others... This specified source host IP is not the scanner IP... Does it mean specified source IP filtering does not even work in the Access policy rule?

 

If I kept the change on the access policy rule and change the 1to1 NAT rule to add the port 22 as the original source port and translated destination port, the scan shows server unreachable...This might be the FTD blocks the frequent scans...

 

So is this expected behaviour for FTD 1to1 NAT OR I configured the Access Policy and/or NAT rule incorrectly? Trying to answer the discoveries from an auditor...

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-15-2020 07:19 PM - edited ‎02-15-2020 07:26 PM

Without seeing your list of Access Control Policy (ACP) entries it's impossible to say if your configuration is correct or not. You can always check your rule logic from the cli with the packet-tracer command. For example:

packet-tracer input outside tcp 8.8.8.8 1025 1.2.3.4 22

That will show the results for incoming traffic on tcp/22 (ssh). Then try it again for one of the other ports like 80.

You should never set the source and destination port to 22 as that's not generally how tcp connections work. When a client initiates a connection the source port is something in the ephemeral range (>1024 to 65535).

I can say that FTD definitely doesn't allow traffic through if your policy is set to block it. Order of policy entries is important though as is your default policy (in the bottom right of the ACP page). 

0 Helpful

SIMMN
Spotlight
Spotlight
In response to Marvin Rhoads

‎02-16-2020 04:42 AM

Thanks! I should clarify that NAT rule is bidirectional and is set with source as the server private IP and translated to Public IP when sending outbound to Internet...I updated in my post as well.

maybe that’s the “issue” and I should really configure the NAT rule as Internet inbound direction. But even so, I am still puzzled when port scan reveals other ports besides 22...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card