Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4492
Views
25
Helpful
23
Replies

Pat is not working

Go to solution
Kasper Elsborg
Level 1
Level 1

‎07-22-2022 11:06 AM - edited ‎07-22-2022 11:09 AM

Hello Community.

I have recent converted my Asa5516-x from Asa to FTD code and running it from a FMC

I have figured everything out, except the PAT part.

It was working on the ASA code, but I was not able to use the migtation tool, so I've started from scratch.

Currently there is a dynamic NAT rule, for many to one IP translation-> internet access for the client net.

Then I have a FTP server (Kasperstore) on 192.168.2.82 on the inside-security-zone, configuret to recieve sftp on tcp port 20000, from the outside-if on 192.168.0.254

When I run a packet-tracer I get the output:

 

 

Last login: Fri Jul 22 16:02:45 UTC 2022 from 192.168.3.198 on pts/0

Copyright 2004-2022, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc. 
All other trademarks are property of their respective owners.

Cisco Firepower Extensible Operating System (FX-OS) v2.10.1 (build 192)
Cisco ASA5516-X Threat Defense v7.0.2 (build 88)

> packet-tracer input Outside_if 
esp     gre     icmp    ipip    rawip   sctp    tcp     udp     vlan-id 
> packet-tracer input Outside_if tcp 192.168.0.254 20000 192.168.2.82 20000 detailed

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e878da70, priority=13, domain=capture, deny=false
        hits=4558667, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1688160, priority=1, domain=permit, deny=false
        hits=353698495, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.0.254 using egress ifc  identity(vrfid:0)

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Area51-outside-if
 nat (any,any) static Kasperstore service tcp 20000 20000 
Additional Information:
NAT divert to egress interface identity(vrfid:0)
Untranslate 192.168.2.82/20000 to 192.168.0.254/20000

Phase: 5
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e84ca950, priority=501, domain=permit, deny=true
        hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.0.254, mask=255.255.255.255, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA

 

 

question is, what is the access-list that is dropping the packet?

I have made an extended access-list under objects

Br. Kasper

 

 

 

Preview file
44 KB
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Kasper Elsborg

‎07-25-2022 06:28 AM

Then this looks to be your problem.

You have the interface IP configured as the original source and the server IP as the translated source.  Change these around and test again.  If 192.168.0.254 is the interface IP of the FTD you will need to specify interface in the translated section instead of the object.

Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32

  

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1

‎07-25-2022 09:33 AM

Marius Gunnerud I am really puzzled now.

I have been testing both packet-tracer and Packet capture for hours the last couble of days. In addition to your advise, I'va also change the ACP rule to tcp 20000 as source. It still yield the same result in the traces, however I decided to try the real sftp, and surprice. it works? 

So how come the traces says "drop" when it actually works? Been relying for the traces for the most parts.

Anyway thanks for your time

Br. Kasper

View solution in original post

0 Helpful
23 Replies 23

Go to solution
Rob Ingram
VIP
VIP

‎07-22-2022 11:47 AM

@Kasper Elsborg you need to configure the access in the Access Control Policy (ACP) not an extended ACL. The source port is likely dynamic , so use "any" not 20000. The destination port will obviously be static, so you can use 20000 for the destination port in the ACP.

Ideally your NAT rule interfaces should be more specific rather than "any". I.e. - nat (inside,Outside_if) ......

Your packet tracer source should be a random IP address, the destination IP address will be the NAT IP address, not the real IP address.

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to Rob Ingram

‎07-22-2022 01:59 PM

@Rob Ingram thanks for taking the time

I think I have the ACP in place? my intention was to keep it as wide a possible due to troubleshooting? 

maybe I did it wrong?

Br. Kasper

Preview file
234 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Kasper Elsborg

‎07-23-2022 01:33 AM - edited ‎07-23-2022 01:35 AM

@Kasper Elsborg are you sure the source port is going to be port 20000? Usually it will be dynamic. Traffic would probably not hit the first rule, but rule #7.

Run "system support firewall-engine-debug" from the CLI of the FTD, filter on the destination IP address. Then generate traffic and observe the traffic flow and determine the source port and which rule it matches.

Provide the output of "show nat detail"

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to Rob Ingram

‎07-23-2022 01:45 AM

@Rob Ingram Yes I saw the error so I've change the source port to Any. but it didn't change anything. I will try and do your suggestions.

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to Rob Ingram

‎07-23-2022 02:03 AM

okay so I've tried the "system support forewall-engine-debug" with various option. I can get it to generate traffic if server is 192.168.2.82, which it the sftp server, among many services. however there is no traffic from the outside_if from my sftp client 192.168.0.232. and if I change 


> system support firewall-engine-debug

Please specify an IP protocol:
Please specify a client IP address: 192.168.0.232
Please specify a client port:
Please specify a server IP address:
Please specify a server port:
Monitoring firewall engine debug messages

There is no output at all?

> show nat detail 

Manual NAT Policies (Section 1)
1 (any) to (any) source static Area51-outside-if Kasperstore  service SVC_30064936305 SVC_30064936305 unidirectional
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32
    Service - Origin: tcp destination eq 20000 , Translated: tcp destination eq 20000 

Auto NAT Policies (Section 2)
1 (any) to (any) source static Area51-outside-if Kasperstore  service tcp 20000 20000 
    translate_hits = 0, untranslate_hits = 5
    Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32
    Service - Protocol: tcp Real: 20000 Mapped: 20000 
2 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface 
    translate_hits = 381178, untranslate_hits = 9243
    Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

 

 

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to Rob Ingram

‎07-23-2022 07:15 AM - edited ‎07-23-2022 07:16 AM

@Rob Ingram

I've made a test ACP, with no rules other than a trust all. tested it, but no luck. still the same block. So I can pretty much rule out the the ACP rules

 

> system support firewall-engine-debug

Please specify an IP protocol: icmp
Please specify a client IP address: 192.168.3.198
Please specify a server IP address: 

Monitoring firewall engine debug messages


192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 New firewall session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 app event with app id changed, url no change, tls host no change, bits 0x5
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268438533, rule_action:3, rev id:3304971106, rule_match flag:0x0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 using HW or preset rule order 1, 'test', action Trust and prefilter rule 0
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 fastpath action
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00000000
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268438533, rule_action 3 rev_id 3304971106, rule_flags 3
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session
192.168.3.198 8 -> 192.168.0.232 0 1 AS=0 ID=1 GR=1-1 Deleting Firewall session
^C
Caught interrupt signal
Exiting.

> packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.0.254 20000 detailed

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e878da70, priority=13, domain=capture, deny=false
        hits=591050297, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1688160, priority=1, domain=permit, deny=false
        hits=646912185, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.0.254 using egress ifc  identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false
        hits=782289, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=any, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1689550, priority=0, domain=permit, deny=true
        hits=198553, user_data=0xb, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA

 

 Any suggestions?

Br. Kasper

Preview file
157 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-22-2022 12:00 PM

if I am right route-lookup must add to this NAT.

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to MHM Cisco World

‎07-22-2022 02:02 PM

Hi, seems like this option is ruled out?

Br. Kasper

Preview file
38 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Kasper Elsborg

‎07-22-2022 02:12 PM - edited ‎07-22-2022 02:14 PM

same NAT but make the type

NAT auto before
and enable route-lookup

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to MHM Cisco World

‎07-23-2022 01:20 AM

Seems like I don't have that option?

Preview file
38 KB
0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to MHM Cisco World

‎07-23-2022 01:38 AM

I've tried to make a manual nat->before

but I still don't have that option. also I don't know if I made the manual nat rule correct?

 

Preview file
344 KB
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎07-22-2022 02:27 PM

Your packet-tracer is not correct. It should look something like this:

packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.0.254 20000 detailed

You are simulating a packet passing through the firewall so the first IP is the source IP that you are testing from (if this is a specific IP then exchange 8.8.8.8 with the correct IP) and the destination is the NATed IP of the FTP server.  You should then see a correct packet tracer which will give you more information on if the packet really is denied, allowed, etc.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1
In response to Marius Gunnerud

‎07-23-2022 01:23 AM

Hi, and thanks for replying.

I am aware and I did change it after, but i dosn't change anything.

> packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.0.254 20000 detailed

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e878da70, priority=13, domain=capture, deny=false
        hits=586897569, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1688160, priority=1, domain=permit, deny=false
        hits=644850555, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.0.254 using egress ifc  identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false
        hits=757857, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=any, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1689550, priority=0, domain=permit, deny=true
        hits=191254, user_data=0xb, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA

 

0 Helpful

Go to solution
Kasper Elsborg
Level 1
Level 1

‎07-23-2022 12:54 PM

I've got a bit further. It seems like the NAT rule was not created right. So i made a static manual NAT rule which I now can get a hit on in the packet-tracer. I also did a Packet capture from the FMC, that might help identify the problem, however I'm still stuck, so any suggestions are welcome.

NAT rule is attached

packet-tracer

> packet-tracer input Outside_if tcp 8.8.8.8 20000 192.168.2.82 20000 detailed

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e878da70, priority=13, domain=capture, deny=false
        hits=594666507, user_data=0x1512f18a7b70, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1688160, priority=1, domain=permit, deny=false
        hits=648705869, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Outside_if, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside_if,Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916
Additional Information:
NAT divert to egress interface Inside_if(vrfid:0)
Untranslate 192.168.2.82/20000 to 192.168.0.254/20000

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp any any eq 20000 rule-id 268438530 
access-list CSM_FW_ACL_ remark rule-id 268438530: ACCESS POLICY: Area51 ACP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268438530: L7 RULE: SFTP-20000
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
 Forward Flow based lookup yields rule:
 in  id=0x1512f1c14250, priority=12, domain=permit, deny=false
        hits=1, user_data=0x1513064869c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=20000, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
        input_ifc=any, output_ifc=any

Phase: 5
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512e858dc50, priority=7, domain=conn-set, deny=false
        hits=12365, user_data=0x1512e8588fe0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (Inside_if,Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916
Additional Information:
Static translate 8.8.8.8/20000 to 8.8.8.8/20000
 Forward Flow based lookup yields rule:
 in  id=0x1512f1b90e00, priority=6, domain=nat, deny=false
        hits=1, user_data=0x1512f1c86a60, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=192.168.2.82, mask=255.255.255.255, port=20000, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=Inside_if(vrfid:0)

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false
        hits=797708, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x1512f1690170, priority=0, domain=inspect-ip-options, deny=true
        hits=426601, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside_if,Outside_if) source static Area51-outside-if Kasperstore service SVC_30064977916 SVC_30064977916
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x1512f1ca96d0, priority=6, domain=nat-reverse, deny=false
        hits=2, user_data=0x1512f1c38780, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=192.168.0.254, mask=255.255.255.255, port=20000, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Outside_if(vrfid:0), output_ifc=Inside_if(vrfid:0)

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x1512f142f8b0, priority=0, domain=nat-per-session, deny=false
        hits=797710, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x1512f1723170, priority=0, domain=inspect-ip-options, deny=true
        hits=423866, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
        input_ifc=Inside_if(vrfid:0), output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 423777, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 13
Type: EXTERNAL-INSPECT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 14
Type: SNORT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Snort Trace:
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:2453855330, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 
MidRecovery data queried. Got session type 2 rule id: 268435467, rule_action:2, rev id:3561217122, ruleMatch flag:0x5 
00:00:00:00:00:00 -> 78:72:5D:CE:BD:A0 0800
8.8.8.8:20000 -> 192.168.0.254:20000 proto 6 AS=0 ID=2 GR=1-1
Packet 15958: TCP ******S*, 07/23-19:39:09.389963, seq 531550506, dsize 0
Session: new snort session
AppID: service: (0), client: (0), payload: (0), misc: (0)
Firewall: trust/fastpath rule, id 268438530, allow
Policies: Network 0, Inspection 0, Detection 3
Verdict: pass
Snort Verdict: (pass-packet) allow this packet

Phase: 15
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.0.254 using egress ifc  identity(vrfid:0)

Phase: 16
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
Input route lookup returned ifc  identity is not same as existing ifc  Inside_if

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: Inside_if(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000056182be6cf8c flow (NA)/NA

Show nat detail:

> show nat detail

Manual NAT Policies (Section 1)
1 (Inside_if) to (Outside_if) source static Area51-outside-if Kasperstore  service SVC_30064977916 SVC_30064977916
    translate_hits = 2, untranslate_hits = 2
    Source - Origin: 192.168.0.254/32, Translated: 192.168.2.82/32
    Service - Origin: tcp source eq 20000 , Translated: tcp source eq 20000 

Auto NAT Policies (Section 2)
1 (Inside_if) to (Outside_if) source dynamic Area51_inside_nets interface 
    translate_hits = 5333, untranslate_hits = 74
    Source - Origin: 192.168.2.0-192.168.3.255, Translated: 192.168.0.254/24

The actually setup.

Inside net, are 192.168.1.0->192.168.3.0 routed with ospf on L3 switches, and the inside-if on the FTD.

FTD Outside -if are 192.168.0.254 connected to the ISP router on 192.168.0.1, but since I have no control over the routing here, the FTD is working the dynamic nat for the inside network. but this subnet also let me simulate outside traffic, so I have a sftp client on 192.168.2.232 connecting to FTD outside-if on 192.168.0.254:20000 to test the nat. the sftp server is connecting on 192.168.2.82:20000

the Packet capture from FMC when connecting from the sftp client just described:

13 packets captured

   1: 19:50:06.510074       192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
   2: 19:50:07.521304       192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
   3: 19:50:09.523669       192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
   4: 19:50:13.526034       192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
   5: 19:50:21.530322       192.168.0.232.54259 > 192.168.0.254.20000: S 584024581:584024581(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
   6: 19:50:26.544985       192.168.0.232.17500 > 255.255.255.255.17500:  udp 146 
Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 255.255.255.255 using egress ifc  identity(vrfid:0)

Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA


   7: 19:50:26.553483       192.168.0.232.17500 > 255.255.255.255.17500:  udp 146 
Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 255.255.255.255 using egress ifc  identity(vrfid:0)

Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA


   8: 19:50:26.553544       192.168.0.232.17500 > 192.168.0.255.17500:  udp 146 
Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.0.255 using egress ifc  Outside_if(vrfid:0)

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed, Drop-location: frame 0x000056182bf4a27b flow (NA)/NA


   9: 19:50:26.555101       192.168.0.232.17500 > 255.255.255.255.17500:  udp 146 
Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 255.255.255.255 using egress ifc  identity(vrfid:0)

Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA


  10: 19:50:26.555162       192.168.0.232.17500 > 255.255.255.255.17500:  udp 146 
Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 255.255.255.255 using egress ifc  identity(vrfid:0)

Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside_if(vrfid:0)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056182bf402bb flow (NA)/NA


  11: 19:50:32.652996       192.168.0.232.54260 > 192.168.0.254.20000: S 2254202175:2254202175(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
  12: 19:50:33.663616       192.168.0.232.54260 > 192.168.0.254.20000: S 2254202175:2254202175(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
  13: 19:50:35.672221       192.168.0.232.54260 > 192.168.0.254.20000: S 2254202175:2254202175(0) win 65535 <mss 1460,nop,wscale 7,nop,nop,sackOK> 
13 packets shown

Br. Kasper

 

Preview file
162 KB
Preview file
208 KB
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card