Solved: Re: Pat is not working - Page 2

Kasper Elsborg · ‎07-22-2022

Hello Community.

I have recent converted my Asa5516-x from Asa to FTD code and running it from a FMC

I have figured everything out, except the PAT part.

It was working on the ASA code, but I was not able to use the migtation tool, so I've started from scratch.

Currently there is a dynamic NAT rule, for many to one IP translation-> internet access for the client net.

Then I have a FTP server (Kasperstore) on 192.168.2.82 on the inside-security-zone, configuret to recieve sftp on tcp port 20000, from the outside-if on 192.168.0.254

When I run a packet-tracer I get the output:

Last login: Fri Jul 22 16:02:45 UTC 2022 from 192.168.3.198 on pts/0

Copyright 2004-2022, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc. 
All other trademarks are property of their respective owners.

Cisco Firepower Extensible Operating System (FX-OS) v2.10.1 (build 192)
Cisco ASA5516-X Threat Defense v7.0.2 (build 88)

> packet-tracer input Outside_if 
esp     gre     icmp    ipip    rawip   sctp    tcp     udp     vlan-id 
> packet-tracer input Outside_if tcp 192.168.0.254 20000 192.168.2.82 20000 detailed

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e878da70, priority=13, domain=capture, deny=false
        hits=4558667, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1688160, priority=1, domain=permit, deny=false
        hits=353698495, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.0.254 using egress ifc  identity(vrfid:0)

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Area51-outside-if
 nat (any,any) static Kasperstore service tcp 20000 20000 
Additional Information:
NAT divert to egress interface identity(vrfid:0)
Untranslate 192.168.2.82/20000 to 192.168.0.254/20000

Phase: 5
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e84ca950, priority=501, domain=permit, deny=true
        hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.0.254, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA

question is, what is the access-list that is dropping the packet?

I have made an extended access-list under objects

Br. Kasper

Kasper Elsborg · ‎07-24-2022

So from what I can see, this is no longer a ACP or NAT issue. From the packet-tracer I can see in the end.

Phase: 16
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
Input route lookup returned ifc  identity is not same as existing ifc  Inside_if

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: Inside_if(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000056182be6cf8c flow (NA)/NA

which looks more like a routing problem. It leads me back to MHM Cisco World comment on enabling "route lookup" on the NAT config. But it is still grayed out. From what I can read in the guides and google, it should be alloved en firewall routing mode, which is the case.

fyi. I can produce the same output with both a manual and auto NAT rule.

Anyone have an idea why it is grayed out?

Marius Gunnerud · ‎07-24-2022

Could you provide screenshots of the complete NAT configuration (all sections if you please). Also, confirm the following:

Original source IP - 192.168.0.254

Translated source IP - 192.168.2.82

I highly doubt that route-lookup is the issue here as the NAT will use the the interfaces defined in the NAT configuration to determine which interfaces to send packets to, that is unless you have more than one interface configured in each of those security zones you have configured.

--
Please remember to select a correct answer and rate helpful posts

Kasper Elsborg · ‎07-24-2022

@Marius Gunnerud Yes of cause.

These is the lates configs. both the auto and manual rule. they both produce the same output from the packet-tracer.

they both recieve hits, when enabled.

first show nat detailed, is with the manual enabled, 2nd is with disabled, both recieve hits with the packet-tracer.

> 
> show nat detail

Manual NAT Policies (Section 1)
1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore  service SVC_30064977916 SVC_30064977916
    translate_hits = 1, untranslate_hits = 1
    Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32
    Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 

Auto NAT Policies (Section 2)
1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore  service tcp 20000 20000 
    translate_hits = 0, untranslate_hits = 6
    Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32
    Service - Protocol: tcp Real: 20000 Mapped: 20000 
2 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface 
    translate_hits = 83526, untranslate_hits = 2066
    Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24
> show nat detail

Manual NAT Policies (Section 1)
1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore  service SVC_30064977916 SVC_30064977916 inactive
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32
    Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 

Auto NAT Policies (Section 2)
1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore  service tcp 20000 20000 
    translate_hits = 0, untranslate_hits = 7
    Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32
    Service - Protocol: tcp Real: 20000 Mapped: 20000 
2 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface 
    translate_hits = 85518, untranslate_hits = 2086
    Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

Original source IP - 192.168.0.254 -> is the outside-if

Translated source IP - 192.168.2.82 -> is the SFTP-server on port 20000

Br. Kasper

Marius Gunnerud · ‎07-25-2022

Then this looks to be your problem.

You have the interface IP configured as the original source and the server IP as the translated source. Change these around and test again. If 192.168.0.254 is the interface IP of the FTD you will need to specify interface in the translated section instead of the object.

Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32

--
Please remember to select a correct answer and rate helpful posts

Kasper Elsborg · ‎07-25-2022

Hi Marius Gunnerud

I think I've already tried this. Now I'm not even reaching Snort engine, and the nat rule is not getting any hits.

edit*

in the former post I have posted the wrong screendumps- I've posted the dynamic NAT ones. So from here on I'll concentrate on the manual NAT rule, and change the orginal source, and translated source. But still it dosn't change anything

> packet-tracer input Outside_if tcp 192.168.0.232 20000 192.168.2.82 20000 detailed

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e878da70, priority=13, domain=capture, deny=false
        hits=716207557, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1688160, priority=1, domain=permit, deny=false
        hits=709439557, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.2.82 using egress ifc  Inside_if(vrfid:0)

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp any any eq 20000 rule-id 268438530 
access-list CSM_FW_ACL_ remark rule-id 268438530: ACCESS POLICY: Area51 ACP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268438530: L7 RULE: SFTP-20000
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
 Forward Flow based lookup yields rule:
 in  id=0x1512f1c14250, priority=12, domain=permit, deny=false
        hits=22, user_data=0x1513064869c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=20000, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
        input_ifc=any, output_ifc=any

Phase: 5
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e858dc50, priority=7, domain=conn-set, deny=false
        hits=16237, user_data=0x1512e8588fe0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false
        hits=1006888, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1690170, priority=0, domain=inspect-ip-options, deny=true
        hits=564137, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Inside_if,Outside_if) source static Kasperstore interface service SVC_30064977916 SVC_30064977916
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x1512e897fbc0, priority=6, domain=nat-reverse, deny=false
        hits=2, user_data=0x1512f182ff80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=192.168.2.82, mask=255.255.255.255, port=20000, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=Inside_if(vrfid:0)

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf456a5 flow (NA)/NA

> show nat detail

Manual NAT Policies (Section 1)
1 (Inside_if) to (Outside_if) source static Kasperstore interface  service SVC_30064977916 SVC_30064977916
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.2.82/32, Translated: 192.168.0.254/24
    Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 

Auto NAT Policies (Section 2)
1 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface 
    translate_hits = 138968, untranslate_hits = 3856
    Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

br. Kasper

MHM Cisco World · ‎07-25-2022

rpf-check meaning the NAT is not same UN-NAT for this path
share the list for all NAT in FW

Kasper Elsborg · ‎07-25-2022

Marius Gunnerud I am really puzzled now.

I have been testing both packet-tracer and Packet capture for hours the last couble of days. In addition to your advise, I'va also change the ACP rule to tcp 20000 as source. It still yield the same result in the traces, however I decided to try the real sftp, and surprice. it works?

So how come the traces says "drop" when it actually works? Been relying for the traces for the most parts.

Anyway thanks for your time

Br. Kasper

Kasper Elsborg · ‎07-25-2022

Marius Gunnerud sorted it our...

Packet capture, and tracer also needs to have Source and destination reversed.

jezzz.. :-s Guess I will never forget now..

Marius Gunnerud · ‎07-28-2022

The packet-tracer you posted in that screenshot would test access from the inside network to the outside network, The reverse would test access from the outside network to the inside network. I am sure that the packet-tracer from the outside network is failing due to a syntax error. In any case, glad this is working now.

--
Please remember to select a correct answer and rate helpful posts