FTD NAT Issue on UDP port 500

ahmad82pkn · ‎08-03-2024

Hi Team.

I have a host on LAN that is trying to build IPSEC VPN with remote site.
I am using Dynamic PAT for all traffic.

I believe it should work.

But interestingly, I see all traffic getting NAT but not UDP 500.

Any idea why? Ideally i want UDP 500 and 4500 to NAT as well.

Packet Tracer for random UDP port 400 shows NAT happening, but port 500 shows not.

> show conn | include 172.18.6.
UDP Guest 172.18.6.11:500 outside 54.226.109.1:500, idle 0:00:08, bytes 899668, flags - N1

NOT Triggering any NAT example

> packet-tracer input Guest udp 172.18.6.11 500 54.226.109.1 500 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 34140 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb8216890, priority=1, domain=permit, deny=false
hits=21273705388, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Elapsed time: 8535 ns
Config:
Additional Information:
Found flow with id 511784475, using existing flow
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_snort
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_snort
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Phase: 3
Type: SNORT
Subtype:
Result: ALLOW
Elapsed time: 9104 ns
Config:
Additional Information:
Snort Verdict: (fast-forward) fast forward this flow

Result:
input-interface: Guest(vrfid:0)
input-status: up
input-line-status: up
Action: allow
Time Taken: 51779 ns

>

#################
NAT Seems working on RANDOM UDP Ports others than 500

> packet-tracer input Guest udp 172.18.6.11 400 54.226.109.1 400 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 19915 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb8216890, priority=1, domain=permit, deny=false
hits=21273715225, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Guest, output_ifc=any

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 23898 ns
Config:
Additional Information:
Found next-hop 50.225.18.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 6828 ns
Config:
access-group ACL_ global
access-list ACL_ advanced permit ip any any rule-id 268459024
access-list ACL_ remark rule-id 268459024: ACCESS POLICY: Guest - Mandatory
access-list ACL_ remark rule-id 268459024: L7 RULE: Block_Torrent
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0xffc069ea80, priority=12, domain=permit, deny=false
hits=66398194, user_data=0x55877bb780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffe06465f0, priority=7, domain=conn-set, deny=false
hits=424743281, user_data=0xffe063d220, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
nat (Guest,outside) source dynamic Guest_Subnet interface
Additional Information:
Dynamic translate 172.18.6.11/400 to 50.225.18.158/58959
Forward Flow based lookup yields rule:
in id=0xffe423ee70, priority=6, domain=nat, deny=false
hits=3781633, user_data=0x559fb853b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.18.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6828 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a30f7fa0, priority=0, domain=nat-per-session, deny=true
hits=423356137, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6828 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffb821cb40, priority=0, domain=inspect-ip-options, deny=true
hits=432490956, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 35278 ns
Config:
nat (Guest,outside) source dynamic Guest_Subnet interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffe423fb60, priority=6, domain=nat-reverse, deny=false
hits=1718262, user_data=0x559e514bc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.18.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Guest(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 38692 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x55a30f7fa0, priority=0, domain=nat-per-session, deny=true
hits=423356139, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1138 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffc441f5b0, priority=0, domain=inspect-ip-options, deny=true
hits=584189667, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 38123 ns
Config:
Additional Information:
New flow created with id 512380988, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_snort
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_snort
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 9673 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 13
Type: SNORT
Subtype:
Result: ALLOW
Elapsed time: 137129 ns
Config:
Additional Information:
Snort Trace:
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 61, icmpCode 13
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 138, icmpCode 109
Firewall: starting AC rule matching, zone 9 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 42, icmpCode 38
Packet: UDP
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: starting AC rule matching, zone 7 -> 9, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268459024, pending AppID
Snort id 3, NAP id 2, IPS id 0, Verdict PASS, Blocked by SSL
Snort Verdict: (pass-packet) allow this packet

Phase: 14
Type: ECMP load balancing
Subtype:
Result: ALLOW
Elapsed time: 8535 ns
Config:
Additional Information:
ECMP load balancing
Found next-hop 50.225.18.1 using egress ifc outside(vrfid:0)

Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 3414 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 50.225.18.1 on interface outside
Adjacency :Active
MAC address e85c.0a7d.5084 hits 2663213 reference 383

Result:
input-interface: Guest(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 349935 ns

MHM Cisco World · ‎08-03-2024

I think these port reserved for ipsec

So you need static NAT (port forward) not dynamic NAT

MHM

ahmad82pkn · ‎08-03-2024

nat (Guest,outside) source dynamic Guest_Subnet interface

I dont want to create static NAT. As I dont have any Public IP other than WAN Interface with public IP.

Thats what I have

MHM Cisco World · ‎08-03-2024

add new NAT

nat (Guest,outside) source static interface <object service>
in object service list both 500 and 4500 service

make sure this new NAT is in top list of NAT

MHM

ahmad82pkn · ‎08-03-2024

But why all other ports are natting with my existing NAT statement and not only 500 and 4500?

MHM Cisco World · ‎08-03-2024

these port is reserved cannot use for dynamic NAT

MHM

ccieexpert · ‎08-03-2024

what is the problem with random udp ports ? typically the ike 500 and 4500 are reserved to the box for ipsec..

the source port for IKE traffic can be any UDP port.. only the destination needs to be 500/4500.

are you having an issue with a outbound IPSEC connection using a non 500/4500 source port ?

Please elaborate .. what client or device are you using behind the firewall and having issues?

ahmad82pkn · ‎08-03-2024

You are correct.

First let me clarify. There was existing connection in Show conn | include IP
That is why packet trace was not showing correct information and going to fast path..

Clearing Conn entry . I can see its now doing proper NAT in packet tracer. ( So packet tracer is working fine. We can forget about it )

Actual issue is . "I have an SRX router with private IP in my LAN behind Cisco FTD and want to build a VPN with remote Palo Alto"

SRX(private IP)-->FTD(Public IPS IP)--->Internet-->Remote Palo Alto

I am trying to Build IPSEC VPN between SRX and PA.

But its stuck in phase 1 and when I do show conn. It doesnt show NAT happening. So i was wondering if its NAT issue. But Packet capture shows correct NAT happening. But show conn donot show NAT IP.

> show conn | include 172.18.6.11
UDP Guest 172.18.6.11:500 outside 54.226.109.1:500, idle 0:00:05, bytes 2189796, flags - N1

ccieexpert · ‎08-03-2024

show conn will not show NAT..

you have to either do show local-host or show xlate

show local-host <local ip address of srx>

i would suggest taking packet captures on both the inside and outside of the ftd.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

put the source ip of the srx(private ip addres) and palo as destatnation

do on both inside and outside that will show you the nated ip address.

Also run pre-filter as ftd does not need to send this to snort (more issues and wasted resources)

https://community.cisco.com/t5/security-blogs/pre-filter-policy-configuration-on-firepower-threat-defense/ba-p/4671187

Also run debugs on palo and srx to see why there are failing...

ahmad82pkn · ‎08-03-2024

I think, I have found the problem.

NAT is working fine as per Packet tracer after clearing connection in FTD.

Why SRX not able to build VPN and not showing nat in show conn command is probably due to below misconfig.

SRX has this config.

set security ike gateway gw-vpn-xxxx no-nat-traversal

I have asked requester(SRX Owner) to remove to enable nat-traversal on SRX and try establish VPN again.

MHM Cisco World · ‎08-03-2024

SRX must enable nat-t and in ftd you need static NAT.

Ipsec not work with dynamic NAT.

""Ipsec detect there is NAT but not detect random port""

MHM

ccieexpert · ‎08-04-2024

There is no need for STATIC nat if SRX is the initiator ...only if the SRX is the responder, then it needs static NAT..

hundreds of customers have IPSEC endpoint behind PAT and the work with fine as it is the inititiator .. only the headend (responder) would be need static PAT/NAT..

ccieexpert · ‎08-03-2024

yes most likely.. NAT will work no matter what... but nat traversal will not be used. so IKE negotiation will go through and

then ipsec ESP will try to get transmitted and FTD will drop as by default it doesnt allow ipsec pass-through.. ASA has the command.. ftd may have to do with flexconfig..

regardless, yes make sure nat-traversal and run debugs on both sides and see where does it fail...

Also, implement pre-filter on FTD for best performance.

Aina William · ‎08-04-2024

It looks like the problem you're having is with UDP port 500 not being NATed. This can happen if NAT Traversal (NAT-T) is not being set off. IPsec data is usually wrapped in UDP 4500 by NAT-T so that it can get through NAT devices. Because you're using Dynamic PAT, UDP 500 is probably not being blocked by NAT. This is because it's often used for ISAKMP data, which may be handled differently because of security rules. To fix this, make sure that NAT-T is turned on in your VPN settings. This will wrap the traffic in UDP 4500 and let it be NATed properly. Also, make sure that your firewall rules and NAT settings clearly allow NAT for both UDP 500 and 4500.