Hi @TheGoob,

There are 2 things to consider when deploying public services (of course, there are much more, but I'm simplifying) - one is NAT, and secodn one is ACL. NAT is simply stating if device is reachable over Internet or not, while ACL is the one defining which services will be accessible, and everything else should be blocked.

This is almost true, unless you haven't configured any ACLs on your FW. In that case, security level  gets in effect - it is always allowed to access security zone with lower level, if reaching it from a zone with higher security level. If you have defined your server zone with e.g. 20, while WAN zone with 30, it will always be possible to reach everything in server zone from WAN zone.

You should check your zone levels with "show nameif", and your ACL assignments with "show run access-group", to confirm that proper configuration is in place.

Kind regards,

Milos

First, I am running the FTD and will show screenshot in a minute but to the 2nd poster... PLEASE don't tell me I am an idiot and this is telling me what I think it is telling me; that all my levels are 0.

> show nameif
Interface     Name     Security
Ethernet1/1     outside       0
Ethernet1/2     inside_2     0
Ethernet1/3     inside_3     0
Ethernet1/4     inside_4     0
Ethernet1/5     inside_5     0
Ethernet1/6     inside_6     0
Ethernet1/7     inside_7     0
Ethernet1/8     inside_8     0
Management1/1     diagnostic    0
BVI1 inside 0

and ;

> show running-config access-group
access-group NGFW_ONBOX_ACL global

Hopefully these are viewable...On THIS, as seen in the ACL only SSH is open, and yet I can connect to http://x.x.x.181:80 and it loads. IP's are different than original post as I have THAT one disabled, but this does the same thing; lets every port in.

My NAT is literally inside 192.168.5.43 to outside x.x.x.181

My ACL is only allowing in SSH Port 177 from outside (x.x.x.181) to inside (192.168.5.43)

Well at this stage I will definitely say it is something I am doing wrong. I did indeed change default rule to BLOCK and then removed Source Port and it definitely stopped anything from getting into the server but now I can not SSH in.  Does NAT placement as well as auto/manual possibly have a hand in this? If I am doing direct nat from a WAN IP to a LAN IP would that be manual, above inside_2, as I have it?

I don't know why but I feel that, in my situation, BLOCK default rule is overruling everything!

Alright, got it to work as we intended. Earlier this morning after changing what we talked about I ignorantly did LAN to LAN, not WAN to LAN ACL. Anyway, it seems to be working. IO am now going to implement the other servers and what not and verify works before "solved". But this is awesome, thank you.

Regardless of that, and I did this after I verified your way worked, I reinstated the SOURCE Port, and it stopped working. How would a set source to a set destination port not work? I understand Port Forwarding source 88 to destination 22, would a source port be used in that scenario? Just weird source and destination causing it to not work. Regardless, I have source port to any and it works.

Fair enough. Awesome guys, thank you!