Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
2
Helpful
7
Replies

FTD NAT

Go to solution
jebankshrcu
Level 1
Level 1

‎05-23-2024 03:59 PM

Hi Team,

So currently I have a FTD that I manage via FDM. Am trying to access an internal host from the outside via port 8888 but internally it should translate back to ssh (22). Screenshot is my nat rule. Not sure if am doing something wrong and what else am missing cause the rules I have it widely open to see if thats the issue but still nothing.

jebankshrcu_0-1716505051733.png

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to jebankshrcu

‎05-29-2024 04:02 AM

Sorry I make you waiting 
I was busy 

jebankshrcu_0-1716657233286x.png

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-23-2024 11:32 PM

what is the error you getting when you initiate the connection from outside IP address and port 8888 ?

does the webserver running service 22 ?  web server runs on generally 443 ? so what web server is this ?

i have tested in my Lab some time it works as expected for reference :

https://www.balajibandi.com/?p=1855

Debug - run on FDM or cli see if the packet reaching the outside interface or not first before it process NAT and inside ACL.

sometime the provider do not allow some incoming packets on odd ports.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-24-2024 06:13 AM

Try packet-tracer from the FTD cli and let us know what you get.

packet-tracer input outside tcp 1.1.1.1 1234 <outside interface address> 8888

https://community.cisco.com/t5/security-knowledge-base/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

Also make sure there are no other rules or active connections using that same tcp port on the outside interface.

Go to solution
MHM Cisco World
VIP
VIP

‎05-24-2024 06:38 AM - edited ‎05-24-2024 06:38 AM

first change the rule from auto to NAT rules before
second make sure you allow real IP and Port 22 in ACP

MHM

0 Helpful

Go to solution
jebankshrcu
Level 1
Level 1
In response to MHM Cisco World

‎05-25-2024 10:14 AM

So changing it from auto you mean use manual nat like the image attached?

jebankshrcu_0-1716657233286.png

 



Go to solution
Marius Gunnerud
VIP
VIP

‎05-24-2024 03:47 PM

run a packet tracer from CLI, Verify that the access rules and NAT statements that are being hit are correct and that the action is allowed.  If that looks good set up a packet capture on the webportal interface and see if there is traffic being captured in both directions.  If you are only seeing traffic out towards the server but nothing in return, the the issue is either with the server itself or in the path between the firewall and the server.

If possible you can also run a tcpdump on the server in question and see if the SSH session is actually reaching the server.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
jebankshrcu
Level 1
Level 1

‎05-27-2024 02:14 PM

How can I do this nat rule on a Cisco FTD using the FDM rather than the FMC?

jebankshrcu_0-1716844464475.png

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jebankshrcu

‎05-29-2024 04:02 AM

Sorry I make you waiting 
I was busy 

jebankshrcu_0-1716657233286x.png

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card