Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
6
Helpful
17
Replies

FTD NAT Issue on UDP port 500

ahmad82pkn
Level 3
Level 3

‎08-03-2024 03:32 AM

Hi Team.

I have a host on LAN that is trying to build IPSEC VPN with remote site.
I am using Dynamic PAT for all traffic.

I believe it should work.

But interestingly, I see all traffic getting NAT but not UDP 500.

Any idea why? Ideally i want UDP 500 and 4500 to NAT as well.

Packet Tracer for random UDP port 400 shows NAT happening, but port 500 shows not.

 

> show conn | include 172.18.6.
UDP Guest 172.18.6.11:500 outside 54.226.109.1:500, idle 0:00:08, bytes 899668, flags - N1


NOT Triggering any NAT example

> packet-tracer input Guest udp 172.18.6.11 500 54.226.109.1 500 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 34140 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb8216890, priority=1, domain=permit, deny=false
hits=21273705388, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Elapsed time: 8535 ns
Config:
Additional Information:
Found flow with id 511784475, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_snort
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_snort
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Phase: 3
Type: SNORT
Subtype:
Result: ALLOW
Elapsed time: 9104 ns
Config:
Additional Information:
Snort Verdict: (fast-forward) fast forward this flow

Result:
input-interface: Guest(vrfid:0)
input-status: up
input-line-status: up
Action: allow
Time Taken: 51779 ns

>

#################
NAT Seems working on RANDOM UDP Ports others than 500




> packet-tracer input Guest udp 172.18.6.11 400 54.226.109.1 400 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 19915 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb8216890, priority=1, domain=permit, deny=false
hits=21273715225, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 23898 ns
Config:
Additional Information:
Found next-hop 50.225.18.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6828 ns
Config:
access-group ACL_ global
access-list ACL_ advanced permit ip any any rule-id 268459024
access-list ACL_ remark rule-id 268459024: ACCESS POLICY: Guest - Mandatory
access-list ACL_ remark rule-id 268459024: L7 RULE: Block_Torrent
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0xffc069ea80, priority=12, domain=permit, deny=false
hits=66398194, user_data=0x55877bb780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffe06465f0, priority=7, domain=conn-set, deny=false
hits=424743281, user_data=0xffe063d220, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
nat (Guest,outside) source dynamic Guest_Subnet interface
Additional Information:
Dynamic translate 172.18.6.11/400 to 50.225.18.158/58959
Forward Flow based lookup yields rule:
in id=0xffe423ee70, priority=6, domain=nat, deny=false
hits=3781633, user_data=0x559fb853b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.18.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6828 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a30f7fa0, priority=0, domain=nat-per-session, deny=true
hits=423356137, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb821cb40, priority=0, domain=inspect-ip-options, deny=true
hits=432490956, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 35278 ns
Config:
nat (Guest,outside) source dynamic Guest_Subnet interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffe423fb60, priority=6, domain=nat-reverse, deny=false
hits=1718262, user_data=0x559e514bc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.18.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 38692 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x55a30f7fa0, priority=0, domain=nat-per-session, deny=true
hits=423356139, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1138 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffc441f5b0, priority=0, domain=inspect-ip-options, deny=true
hits=584189667, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 38123 ns
Config:
Additional Information:
New flow created with id 512380988, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_snort
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_snort
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 9673 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Elapsed time: 137129 ns
Config:
Additional Information:
Snort Trace:
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 61, icmpCode 13
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 138, icmpCode 109
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 42, icmpCode 38
Packet: UDP
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: starting AC rule matching, zone 7 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268459024, pending AppID
Snort id 3, NAP id 2, IPS id 0, Verdict PASS, Blocked by SSL
Snort Verdict: (pass-packet) allow this packet

Phase: 14
Type: ECMP load balancing
Subtype:
Result: ALLOW
Elapsed time: 8535 ns
Config:
Additional Information:
ECMP load balancing
Found next-hop 50.225.18.1 using egress ifc outside(vrfid:0)

Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 3414 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 50.225.18.1 on interface outside
Adjacency :Active
MAC address e85c.0a7d.5084 hits 2663213 reference 383

Result:
input-interface: Guest(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 349935 ns



0 Helpful
17 Replies 17

ccieexpert
Spotlight
Spotlight

‎08-03-2024 09:53 PM

yes most likely.. NAT will work no matter what... but nat traversal will not be used. so IKE negotiation will go through and

then ipsec ESP will try to get transmitted and FTD will drop as by default it doesnt allow ipsec pass-through.. ASA has the command.. ftd may have to do with flexconfig..

regardless, yes make sure nat-traversal and run debugs on both sides and see where does it fail...

Also, implement pre-filter on FTD for best performance.

0 Helpful

Aina William
Level 1
Level 1

‎08-04-2024 08:08 AM

It looks like the problem you're having is with UDP port 500 not being NATed. This can happen if NAT Traversal (NAT-T) is not being set off. IPsec data is usually wrapped in UDP 4500 by NAT-T so that it can get through NAT devices. Because you're using Dynamic PAT, UDP 500 is probably not being blocked by NAT. This is because it's often used for ISAKMP data, which may be handled differently because of security rules. To fix this, make sure that NAT-T is turned on in your VPN settings. This will wrap the traffic in UDP 4500 and let it be NATed properly. Also, make sure that your firewall rules and NAT settings clearly allow NAT for both UDP 500 and 4500.

ahmad82pkn
Level 3
Level 3

‎08-22-2024 11:25 PM - edited ‎08-22-2024 11:25 PM

Issue is resolved after enabling NAT-T on SRX
Updating local identity and remote identity 
local identity Egress public IP of FTD

remote identity public IP of remote peer

Also SRX Egress interface had IKE system service enabled on untrust zone. But then on interface level it didnt have ike enabled. Which overrides IKE setting enabled on unturst zone level.

Adding ike under interface level was last nail that fixed the issue along with above changes. 

security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ike;
dhcp;
tftp;
https;
}
}
}


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card