Re: FTD NAT Issue on UDP port 500

ahmad82pkn · ‎08-03-2024

Hi Team.

I have a host on LAN that is trying to build IPSEC VPN with remote site.
I am using Dynamic PAT for all traffic.

I believe it should work.

But interestingly, I see all traffic getting NAT but not UDP 500.

Any idea why? Ideally i want UDP 500 and 4500 to NAT as well.

Packet Tracer for random UDP port 400 shows NAT happening, but port 500 shows not.

> show conn | include 172.18.6.
UDP Guest 172.18.6.11:500 outside 54.226.109.1:500, idle 0:00:08, bytes 899668, flags - N1

NOT Triggering any NAT example

> packet-tracer input Guest udp 172.18.6.11 500 54.226.109.1 500 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 34140 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb8216890, priority=1, domain=permit, deny=false
hits=21273705388, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Elapsed time: 8535 ns
Config:
Additional Information:
Found flow with id 511784475, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_snort
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_snort
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Phase: 3
Type: SNORT
Subtype:
Result: ALLOW
Elapsed time: 9104 ns
Config:
Additional Information:
Snort Verdict: (fast-forward) fast forward this flow

Result:
input-interface: Guest(vrfid:0)
input-status: up
input-line-status: up
Action: allow
Time Taken: 51779 ns

>

#################
NAT Seems working on RANDOM UDP Ports others than 500

> packet-tracer input Guest udp 172.18.6.11 400 54.226.109.1 400 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 19915 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb8216890, priority=1, domain=permit, deny=false
hits=21273715225, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 23898 ns
Config:
Additional Information:
Found next-hop 50.225.18.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6828 ns
Config:
access-group ACL_ global
access-list ACL_ advanced permit ip any any rule-id 268459024
access-list ACL_ remark rule-id 268459024: ACCESS POLICY: Guest - Mandatory
access-list ACL_ remark rule-id 268459024: L7 RULE: Block_Torrent
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0xffc069ea80, priority=12, domain=permit, deny=false
hits=66398194, user_data=0x55877bb780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffe06465f0, priority=7, domain=conn-set, deny=false
hits=424743281, user_data=0xffe063d220, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
nat (Guest,outside) source dynamic Guest_Subnet interface
Additional Information:
Dynamic translate 172.18.6.11/400 to 50.225.18.158/58959
Forward Flow based lookup yields rule:
in id=0xffe423ee70, priority=6, domain=nat, deny=false
hits=3781633, user_data=0x559fb853b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.18.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6828 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a30f7fa0, priority=0, domain=nat-per-session, deny=true
hits=423356137, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb821cb40, priority=0, domain=inspect-ip-options, deny=true
hits=432490956, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 35278 ns
Config:
nat (Guest,outside) source dynamic Guest_Subnet interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffe423fb60, priority=6, domain=nat-reverse, deny=false
hits=1718262, user_data=0x559e514bc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.18.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 38692 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x55a30f7fa0, priority=0, domain=nat-per-session, deny=true
hits=423356139, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1138 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffc441f5b0, priority=0, domain=inspect-ip-options, deny=true
hits=584189667, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 38123 ns
Config:
Additional Information:
New flow created with id 512380988, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_snort
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_snort
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 9673 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Elapsed time: 137129 ns
Config:
Additional Information:
Snort Trace:
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 61, icmpCode 13
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 138, icmpCode 109
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 42, icmpCode 38
Packet: UDP
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: starting AC rule matching, zone 7 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268459024, pending AppID
Snort id 3, NAP id 2, IPS id 0, Verdict PASS, Blocked by SSL
Snort Verdict: (pass-packet) allow this packet

Phase: 14
Type: ECMP load balancing
Subtype:
Result: ALLOW
Elapsed time: 8535 ns
Config:
Additional Information:
ECMP load balancing
Found next-hop 50.225.18.1 using egress ifc outside(vrfid:0)

Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 3414 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 50.225.18.1 on interface outside
Adjacency :Active
MAC address e85c.0a7d.5084 hits 2663213 reference 383

Result:
input-interface: Guest(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 349935 ns

MHM Cisco World · ‎08-03-2024

I think these port reserved for ipsec

So you need static NAT (port forward) not dynamic NAT

MHM

ahmad82pkn · ‎08-22-2024

This is not correct . Site to site VPN can work with PAT. Static NAT not needed

I have working setup now. Actual problem was not at FTD but SRX sitting behind FTD with private IP had config issue.

Here is my working PAT config it helps someone.

nat (Guest,carrier-outside) source dynamic IPv4-Private-ObjectGroupA interface

ahmad82pkn · ‎08-03-2024

nat (Guest,outside) source dynamic Guest_Subnet interface

I dont want to create static NAT. As I dont have any Public IP other than WAN Interface with public IP.

Thats what I have

MHM Cisco World · ‎08-03-2024

add new NAT

nat (Guest,outside) source static interface <object service>
in object service list both 500 and 4500 service

make sure this new NAT is in top list of NAT

MHM

ahmad82pkn · ‎08-03-2024

But why all other ports are natting with my existing NAT statement and not only 500 and 4500?

MHM Cisco World · ‎08-03-2024

these port is reserved cannot use for dynamic NAT

MHM

ccieexpert · ‎08-03-2024

what is the problem with random udp ports ? typically the ike 500 and 4500 are reserved to the box for ipsec..

the source port for IKE traffic can be any UDP port.. only the destination needs to be 500/4500.

are you having an issue with a outbound IPSEC connection using a non 500/4500 source port ?

Please elaborate .. what client or device are you using behind the firewall and having issues?

ahmad82pkn · ‎08-03-2024

You are correct.

First let me clarify. There was existing connection in Show conn | include IP
That is why packet trace was not showing correct information and going to fast path..

Clearing Conn entry . I can see its now doing proper NAT in packet tracer. ( So packet tracer is working fine. We can forget about it )

Actual issue is . "I have an SRX router with private IP in my LAN behind Cisco FTD and want to build a VPN with remote Palo Alto"

SRX(private IP)-->FTD(Public IPS IP)--->Internet-->Remote Palo Alto

I am trying to Build IPSEC VPN between SRX and PA.

But its stuck in phase 1 and when I do show conn. It doesnt show NAT happening. So i was wondering if its NAT issue. But Packet capture shows correct NAT happening. But show conn donot show NAT IP.

> show conn | include 172.18.6.11
UDP Guest 172.18.6.11:500 outside 54.226.109.1:500, idle 0:00:05, bytes 2189796, flags - N1

ccieexpert · ‎08-03-2024

show conn will not show NAT..

you have to either do show local-host or show xlate

show local-host <local ip address of srx>

i would suggest taking packet captures on both the inside and outside of the ftd.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

put the source ip of the srx(private ip addres) and palo as destatnation

do on both inside and outside that will show you the nated ip address.

Also run pre-filter as ftd does not need to send this to snort (more issues and wasted resources)

https://community.cisco.com/t5/security-blogs/pre-filter-policy-configuration-on-firepower-threat-defense/ba-p/4671187

Also run debugs on palo and srx to see why there are failing...

ahmad82pkn · ‎08-03-2024

I think, I have found the problem.

NAT is working fine as per Packet tracer after clearing connection in FTD.

Why SRX not able to build VPN and not showing nat in show conn command is probably due to below misconfig.

SRX has this config.

set security ike gateway gw-vpn-xxxx no-nat-traversal

I have asked requester(SRX Owner) to remove to enable nat-traversal on SRX and try establish VPN again.

MHM Cisco World · ‎08-03-2024

SRX must enable nat-t and in ftd you need static NAT.

Ipsec not work with dynamic NAT.

""Ipsec detect there is NAT but not detect random port""

MHM

ccieexpert · ‎08-04-2024

There is no need for STATIC nat if SRX is the initiator ...only if the SRX is the responder, then it needs static NAT..

hundreds of customers have IPSEC endpoint behind PAT and the work with fine as it is the inititiator .. only the headend (responder) would be need static PAT/NAT..

ahmad82pkn · ‎08-22-2024

Correct

ahmad82pkn · ‎08-22-2024

IPSEC Worked with dyanmic NAT. Static NAT not needed.

NAT-T was needed on SRX along with local and remote identity command.
Local identity as External IP of FTD ( Not private IP of SRX)
Remote identity as Remote VPN Peer