Re: NAT to Web Server on Firepower not working

00u18jg7x27DHjRMh5d7 · ‎02-07-2022

Need help with a NAT configuration on a Firepower 1140. I have a NAT rule in place when using 'sho nat translate' I get the following output:

show nat translate 192.168.x.x

Manual NAT Policies (Section 1)
3 (inside) to (outside_spectrum) source static ET-SVR ET-SVR service _|NatOrigSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795 _|NatMappedSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795
translate_hits = 2, untranslate_hits = 2

The NAT rule is as follows

packet-tracer input outside_spectrum tcp 8.8.8.8 80 192.168.x.x 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside_spectrum) source static ET-SVR ET-SVR service _|NatOrigSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795 _|NatMappedSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate 192.168.x.x/80 to 192.168.x.x/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435468 ifc outside_spectrum any ifc inside any rule-id 268435468 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435468: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435468: L5 RULE: Geo_Block
object-group service |acSvcg-268435468
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside_spectrum) source static ET-SVR ET-SVR service _|NatOrigSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795 _|NatMappedSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795
Additional Information:
Static translate 8.8.8.8/80 to 8.8.8.8/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside_spectrum) source static ET-SVR ET-SVR service _|NatOrigSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795 _|NatMappedSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2940303, packet dispatched to next module

Phase: 10
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 11
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
MidRecovery data queried. Got session type 2 rule id: 268435457, rule_action:2, rev id:2905255074, ruleMatch flag:0x5
00:00:00:00:00:00 -> E0:69:BA:02:BF:26 0800
8.8.8.8:80 -> 192.168.x.x:80 proto 6 AS=0 ID=3 GR=1-1
Packet 147681: TCP ******S*, 02/08-01:16:32.086467, seq 1100754902, dsize 0
Session: new snort session
AppID: service: (0), client: (0), payload: (0), misc: (0)
Firewall: starting rule matching, zone 2 -> 1, geo 0(0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xff
Firewall: allow rule, id 268435464, allow
Policies: Network 0, Inspection 0, Detection 3
Verdict: pass
Snort Verdict: (pass-packet) allow this packet

Phase: 12
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.x.x using egress ifc inside(vrfid:0)

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 192.168.x.x on interface inside
Adjacency :Active
MAC address 2c27.d745.543a hits 2 reference 7

Result:
input-interface: outside_spectrum(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

Thanks in advance.

Sheraz.Salim · ‎02-07-2022

Nat rules look fine.

when you do a packet tracer do you put the firewall outside IP address?

packet-tracer input outside_spectrum tcp 8.8.8.8 80 outside-firewall-ip 80

Can you show the packet tracer with outside IP address and also could you show command show Nat detail.

please do not forget to rate.

00u18jg7x27DHjRMh5d7 · ‎02-08-2022

So when I do that I get an ACL drop see bellow. I do have an ACL maybe in wrong spot or something facing incorrectly?? I have pic pasted bellow.

packet-tracer input outside_spectrum tcp 8.8.8.8 80 X.X.X.155 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 98.6.174.155 using egress ifc identity(vrfid:0)

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside_spectrum(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559234c43156 flow (NA)/NA

Rob Ingram · ‎02-08-2022

@00u18jg7x27DHjRMh5d7 you ACP rule is incorrect, the source ports will be dynamic not http and https - so remove them, leave as "any".

Are you intending to NAT behind the outside interface? If so amend your NAT rule for the translated packet source address to "interface".

Sheraz.Salim · ‎02-08-2022

Your access list ACL is incorrect

please do not forget to rate.

Sheraz.Salim · ‎02-08-2022

@00u18jg7x27DHjRMh5d7 find this document for you hope it will help you to put in right direction

here and here

please do not forget to rate.

Sheraz.Salim · ‎02-08-2022

I dont have access to firewall but your access-list should be like this

access-list outside_in exter permit ip any host ET-SVR eq https

could you also show your nat statment please.

please do not forget to rate.

00u18jg7x27DHjRMh5d7 · ‎02-08-2022

Not sure what happened but I made the changes and applied them Now my AnyConnect's isn't working LOL.

Rob Ingram · ‎02-08-2022

@00u18jg7x27DHjRMh5d7 hard to tell, what did you change?

Can you connect to the VPN? If you can connect, it could be the Access Control rules are blocking your traffic or the NAT exemption rule is not working. Double check that config. From the CLI you can also run "system support firewall-engine-debug", filter on the IP address, generate some traffic and confirm what rule is being hit.

00u18jg7x27DHjRMh5d7 · ‎02-08-2022

It booted all connected users out, I could not connect I had added an additional rule for Vlans to access the internet and that worked but killed the VPN. I removed it and VPN is back up but now my vlans dont have internet access LOL. See bellow for order and the rule config it was number 5.

When doing this the change for the webpage access didn't change but might of been because of the rule that killed the VPN cannot test again till after hours.

Rob Ingram · ‎02-08-2022

@00u18jg7x27DHjRMh5d7 ACP rules and NAT rules apply for traffic through the firewall, they aren't going to kick off users from a vpn. So I am still unclear what happened. You appear to have 2 outside interfaces, how are you routing? Provide more information if you need help troubleshooting.

00u18jg7x27DHjRMh5d7 · ‎02-08-2022

After making the above changes to the NAT this is now the output from 'show nat' it receives hits but is not translating still.

3 (inside) to (outside_spectrum) source static ET-SVR interface service _|NatOrigSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795 _|NatMappedSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795
translate_hits = 21, untranslate_hits = 21

00u18jg7x27DHjRMh5d7 · ‎02-08-2022

Current tracing shows allowed still no access to webpage from the internet....

WH01-FP-1# packet-tracer input outside_spectrum tcp X.X.1.248 80 X.X.88.1 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop X.X.X.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L7 RULE: DefaultActionRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic any-ipv4 interface
Additional Information:
Dynamic translate X.X.1.248/80 to X.X.X.125/37160

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic any-ipv4 interface
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 79500, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
00:00:00:00:00:00 -> E0:69:BA:02:BF:26 0800
X.X.1.248:80 -> X.X.X.1:80 proto 6 AS=0 ID=0 GR=1-1
Packet 211213: TCP ******S*, 02/09-02:03:02.665126, seq 1396909633, dsize 0
Session: new snort session
AppID: service: (0), client: (0), payload: (0), misc: (0)
Firewall: allow rule, id 1, allow
Policies: Network 0, Inspection 0, Detection 3
Verdict: pass
Snort Verdict: (pass-packet) allow this packet

Phase: 13
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop X.X.X.1 using egress ifc outside(vrfid:0)

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop X.X.X.1 on interface outside
Adjacency :Active
MAC address 40a6.7746.a7c1 hits 45665 reference 406

Result:
input-interface: outside_spectrum(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

"sho nat"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static ET-SVR ET-SVR service _|NatOrigSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795 _|NatMappedSvc_4211a90c-77cc-11ec-bf90-9f23f6c58795
translate_hits = 0, untranslate_hits = 0
2 (outside) to (any) source static ET-SVR ET-SVR
translate_hits = 4, untranslate_hits = 7
3 (inside) to (outside) source static ET-SVR-01 ET-SVR-01 destination static VPN_Network VPN_Network
translate_hits = 3, untranslate_hits = 3
4 (inside) to (outside_spectrum) source static ET-SVR-01 ET-SVR-01 destination static VPN_Network VPN_Network
translate_hits = 2584, untranslate_hits = 2584
5 (inside) to (outside) source dynamic any interface
translate_hits = 29776, untranslate_hits = 624
6 (any) to (outside) source dynamic any-ipv4 interface
translate_hits = 285, untranslate_hits = 7
7 (outside) to (inside) source static VPN_Network VPN_Network destination static Inside_Network Inside_Network no-proxy-arp
translate_hits = 0, untranslate_hits = 0
8 (outside_spectrum) to (inside) source static VPN_Network VPN_Network destination static Inside_Network Inside_Network
translate_hits = 64, untranslate_hits = 0

Sheraz.Salim · ‎02-08-2022

Looking into your output. your packet tracer is mating the NAT rule which is defined in your NAT configuration rule number 6.

6 (any) to (outside) source dynamic any-ipv4 interface
translate_hits = 285, untranslate_hits = 7

as looking in to your packet trace packet coming from outside interface source X.X.1.248 80 and destination X.X.88.1 80 (which is your firewall IP outside interface address).

 packet-tracer input outside_spectrum tcp X.X.1.248 80 X.X.88.1 80

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic any-ipv4 interface
Additional Information:
Dynamic translate X.X.1.248/80 to X.X.X.125/37160


Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic any-ipv4 interface

please do not forget to rate.

00u18jg7x27DHjRMh5d7 · ‎02-26-2022

Hopefully someone is still looking at this. I am still stuck trying to get this web server working. Bellow are the following rules in place and packet trace. I know its being dropped because of an ACL just need someone to point me in the right direction for the configuration.

Thanks In advance.

WH01-FP-1# packet-tracer input outside tcp 192.X.X.248 80 X.X.X.125 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop X.X.X.125 using egress ifc identity(vrfid:0)

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558bf7033156 flow (NA)/NA

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

WH01-FP-1# packet-tracer input outside tcp X.X.X.125 80 X.X.X.248 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop X.X.X.248 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558bf7033156 flow (NA)/NA