cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
517
Views
0
Helpful
17
Replies

FTDv not natting inbound traffic in Azure

Monadnock
Level 1
Level 1

Hi all, I have an FTDv in Azure and traffic going towards the public IP is not being natted towards an internal server. I see the traffic hit it in the packet capture but no nat rules are applying and it is not being forwarded inside because of that:

Monadnock_0-1709049141147.png

The rule is :

nat (outside,inside) source static any interface destination static interface 10.1.1.1 service SVC_622771026011 SVC_622771026011 no-proxy-arp

The rule is getting 0 hits. In the packet capture with a trace, it is not hitting any nats. The FTD has a route to 10.1.1.1 and it is allowed in the ACP.

thoughts?

17 Replies 17

You need to make your NAT from inside to outside' 

Also you dont need to NATing public IP of client want to access Server inside' only what you need is NATing server private IP inside to public IP outside (interface IP)

MHM

MHM Cisco World, you respond to all of my posts and you are often wrong. Respectfully, if you are not confident in the solution, please stop replying.

The NAT cannot be inside->outside because this server is to be accessible from the internet - I am not trying to give internet egress connectivity to the server. 

No I respect your opinion' sometime hit sometime not hit but here we share idea' you can take it or not it depends on your view of solution.

Anyway if you are familiar with NAT you must know that static NAT is bidirectional and it can use for client try to access server inside. 

Sure you need to use l4 port

This link for more detail about NAT to access server' maybe you need to refresh your info 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

*****Also dont forget to add acl allow access to server from outside to it private IP.

MHM

Yes I do know that static is bidirectional which is why your suggestion to change it from outside -> inside to inside->outside does not make sense. Anyway just for a test I tried this and same result the nat is not being hit:

Monadnock_0-1709052950187.png

 

 

Under which category this NAT add 

Auto NAT or before or after ?

MHM

It is a before NAT 

Do packet-tracer from outside to inside and check where the packet drop

Two possiblity either the traffic can not route to server or it hit some other NAT (NAT order issue)

MHM

It's not hitting any NAT rules so it thinks to just route it back externally.


Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop [outside ip] using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

It can fake result if you dont use packet-tracer correctly'

Can I see the packet tracer ypu use

MHM

Outside interface

Random source IP, Destination is my outside interface IP

TCP21 source and dest

The source is any port and destiantion is tcp21 in end you want to access ftp server inside which use that port

Yes that is obvious. Setting the source port shouldn't make any difference and I can't select any in a packet tracer so I just copied the dsetination.

Ok meaning use any use port 12345 (random ports)

For packet-tracer use

Inside from server (real IP 10.x.x.x) to outside any random ip source port tcp21 and destiantion port 12345

Share packet tracer 

MHM

Still NAT not hitting 
 
NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
 
ALLOW
Config:
 
 
Additional Information
Forward Flow based lookup yields rule: in id=0x14e5862aea60, priority=0, domain=nat-per-session, deny=false hits=21263050185, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
 
 
IP-OPTIONS
 
 
 
 
 
 
 
 
 
 
 
 
NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
 
ALLOW
Config:
 
 
Additional Information
Reverse Flow based lookup yields rule: in id=0x14e5862aea60, priority=0, domain=nat-per-session, deny=false hits=21263050187, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Review Cisco Networking for a $25 gift card