permit ip ifc outside any any

velusamycs · ‎04-12-2024

We have FMC and FTD , In FMC we configured Blocked traffic ACCESS POLICY , but while checking in FTD(CLI) one more ACL( Ifc Outside any any allow) showing with same rule-id 26844160. any ideas how to find this ACL in FMC

ACL in FTD
========
access-list CSM_FW_ACL_ line 17 remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ line 18 remark rule-id 268441601: L7 RULE: Blocked Traffic
access-list CSM_FW_ACL_ line 19 advanced deny ip ifc outside host x.x.x.x any rule-id 268441601 (hitcnt=0) 0x70ce5f02
access-list CSM_FW_ACL_ line 20 advanced permit ip ifc outside any any rule-id 268441601 (hitcnt=39080962) 0x8793b97e

FMC

Thank you

Marvin Rhoads · ‎04-12-2024

Check the default action in your FMC ACP.

velusamycs · ‎04-12-2024

Default Action is block @Marvin Rhoads

Marvin Rhoads · ‎04-12-2024

"show access-list" (not "show running-config access-list") will expand the elements of your ACLs. We would expect expanded elements of an ACL entry to all have the same rule-id.

MHM Cisco World · ‎04-12-2024

Show run access-list <- from cli ftd share this

MHM

velusamycs · ‎04-12-2024

Show access-list.
While doing packet tracer from any Outside to Inside traffic always taking this rule (permit ip ifc outside any any).

MHM Cisco World · ‎04-12-2024

Rule-id is 268441601

The line 17'18'19'20 is same ACL.

The ACL is L7 so it match app.

So the traffic pass until FTD detect APP then this ACL will work permit or deny.

If you do packet capture' you will see ACL with app unknown

Do again using same IP and you will see the APP known and real action apply.

MHM

Marvin Rhoads · ‎04-12-2024

@MHM Cisco World all ACP entries show up as L7 rules in the cli. If you look at the original post however, note that no Application was specified in the rule itself.

Marvin Rhoads · ‎04-12-2024

I'm not seeing the origin of the "permit ip ifc outside any any" entry in what you have shared. In any event, why would you want to block only one incoming IP address in the ACL and not everything?

velusamycs · ‎04-12-2024

Specifically In Blocked Traffic we added 1 IP address and One Geo location also in source network.

tvotna · ‎04-12-2024

Specifically In Blocked Traffic we added 1 IP address and One Geo location also in source network

So, what's the question then? This ACP rule was correctly expanded into 2 Lina ACEs and in the packet-tracer you see how they're matched. The GEO part was programmed as "allow" Lina ACE to allow traffic reach "Snort" part of the system.

velusamycs · ‎04-12-2024

Note : In Blocked Traffic we added 1 IP address and One Geo location also in source network.

FLOW for OUTSIDE TO INSIDE (BLOCKED IP )
#
#
#packet-tracer input outside tcp A.A.A.A 123 X.X.X.X $

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 19456 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate Y.Y.Y.Y/443 to 10.0.0.10/443

Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 4
Object Group Search: 4

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 256 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc outside host A.A.A.A any rule-id 268441601
access-list CSM_FW_ACL_ remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ remark rule-id 268441601: L7 RULE: Blocked Traffic
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 21760 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d0c3144578 flow (NA)/NA

#
#
#
#
#
#

OUTSIDE TO INSIDE- TRAFFIC FLOW
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
#packet-tracer input outside tcp X.X.X.X 123 Y.Y.Y.Y 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 19456 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate Y.Y.Y.Y/443 to 10.0.0.10/443

Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 4
Object Group Search: 4

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 3712 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc outside any any rule-id 268441601
access-list CSM_FW_ACL_ remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ remark rule-id 268441601: L7 RULE: Blocked Traffic
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 3712 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 3712 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 3712 ns
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Elapsed time: 32256 ns
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 1024 ns
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 7168 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 34816 ns
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 512 ns
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 26624 ns
Config:
Additional Information:
New flow created with id 95662948, packet dispatched to next module

Phase: 13
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 19968 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 14
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 13768 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)

Phase: 15
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 86380 ns
Config:
Network 0, Inspection 0, Detection 2, Rule ID 268434438
Additional Information:
Starting rule matching, zone 3 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268434438 - Allow

Phase: 16
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 7168 ns
Config:
Additional Information:
Found next-hop 10.0.0.10 using egress ifc inside(vrfid:0)

Phase: 17
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 3072 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.0.0.10 on interface inside
Adjacency :Active
MAC address 0015.5d00.1a14 hits 28295 reference 4

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 267060 ns

#

MHM Cisco World · ‎04-12-2024

I think you meaning second packet-tracer is for geo IP'

If that correct then check below what you see in packet tracer

""This packet will be sent to snort for additional processing where a verdict will be reached""

It L7 if there is no app then it geo what need to inspect by snort.

Do packet-tracer again for geo IP and check block

Note:- this process is not seem in fmc event what you will see it last deny/permit event

MHM

velusamycs · ‎04-12-2024

#
#
#
#
#
#packet-tracer input outside tcp A.A.A.A 123 X.X.X.X $

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 19456 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate Y.Y.Y.Y/443 to 10.0.0.10/443

Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 4
Object Group Search: 4

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 256 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc outside host A.A.A.A any rule-id 268441601
access-list CSM_FW_ACL_ remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ remark rule-id 268441601: L7 RULE: Blocked Traffic
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 21760 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d0c3144578 flow (NA)/NA

#
#
#
#
#
#

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
#packet-tracer input outside tcp X.X.X.X 123 Y.Y.Y.Y 443