SNORT -3.0- Suboptimal issue

titusroz03 · ‎09-19-2024

Dear All,

In one of our IPSEC VPN , We are having issues in FTP, when client is trying to access a FTP server in AWS cloud. while having captures and system trace we found that at snort ,the route lookup is not taking correct egress zone instead it takes the same ingress zone as egress.

Starting rule matching, zone 4 -> 4, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff

Matched rule ids 268454094 - Allow

The correct zone mapping should be: 4 -> 5.

Again from the packet debugs I can basically confirm that Snort is selecting the wrong egress zone:

Packet details: asa_flow_id(45021582) conn_meta_id(1588393) ingress_meta(8) ingress_index(5) ingress_group(1) egress_meta(8) egress_index(5) egress_group(1) asid(0)

These IDs should be different.

It works if we bypass the snort with pre-filter and also if we have action trust on the policy instead of allow. But we are suppose to keep it as allow and go through the snort inspection.

Do you have any workarounds or fix for this..?

It takes the FMC Auto Generated NAT Exempt rule from VPN Topology, instead of a exempt rule which we created.

MHM Cisco World · ‎09-20-2024

The VPN end in your FTD or in router behind FTD

MHM

titusroz03 · ‎09-23-2024

It is on the FTD.And it has the auto generated NAT exemption on FTD.

Sheraz.Salim · ‎09-22-2024

it appears you're experiencing an issue with zone mapping and routing in your IPSec VPN setup for FTP traffic between a client and an AWS-hosted FTP server. some potential solutions:

Problem

Incorrect Zone Mapping: The Snort inspection is using the same zone (4) for both ingress and egress, when it should be 4 -> 5.
Packet Debug Confirmation: The packet details show identical ingress and egress metadata, indexes, and groups, further confirming the incorrect routing.
NAT Exempt Rule: The system is using an auto-generated NAT exempt rule from the VPN topology instead of a custom exempt rule you created.

Potential Solutions

1. Review and Adjust Zone Configuration

Ensure that your zones are correctly configured in your Firepower Management Center (FMC). Double-check the interface assignments and make sure they are mapped to the correct security zones.

2. Modify Access Control Policy

Review your access control policy and ensure that the rules are correctly configured to use the appropriate zones for ingress and egress traffic.

3. Custom NAT Exempt Rule

Create a more specific custom NAT exempt rule for your VPN traffic that takes precedence over the auto-generated rule. Ensure this rule correctly specifies the source and destination zones.

4. Policy Reorder

Check the order of your NAT and access control policies. Make sure your custom rules are placed above the auto-generated rules to ensure they are evaluated first.

5. Snort Configuration

Review your Snort configuration to ensure it's correctly identifying and processing the zones. You may need to update or reconfigure Snort rules related to zone handling.

6. Firepower Threat Defense (FTD) Upgrade

If you're running an older version of FTD, consider upgrading to the latest version. Newer versions often include bug fixes and improvements in traffic handling and zone mapping.

Logging and Monitoring: Enable detailed logging for your VPN and FTP traffic to gather more information about how packets are being processed.

Traffic Flow Analysis: Use packet capture tools on both ends of the VPN to analyze the complete traffic flow and identify where exactly the routing issue occurs.

AWS Configuration: Verify that your AWS VPC and security group configurations are correctly set up to allow the FTP traffic from your VPN.

please do not forget to rate.

titusroz03 · ‎09-23-2024

Thanks for your detailed analysis and potential solutions, we have bypassed the snort with Prefilter rules and it worked. Also the same was achieved if we change the Action from allow to trust in the ACP. So the problem presides with Snort engine, we will have the try of creating custom NAT.

Could you get me the steps for removing the Auto NAT exemption from VPN and apply the custom NAT

Sheraz.Salim · ‎09-23-2024

To remove the auto-generated NAT exemption from your VPN and apply a custom NAT rule instead, follow these steps

Disable Auto-generated VPN NAT Rules:

Navigate to System > Advanced > Firewall and NAT in your FMC.
Find the option "Disable Auto-added VPN rules" and enable it.

Create Custom NAT Exempt Rule:

Go to Policies > NAT in your FMC.
Click "Add Rule" to create a new manual NAT rule.
Set the following parameters:

- Source: Your local VPN network

- Destination: Remote VPN network

- Source Translation: Original

Destination Translation: Original
Place this rule at the top of your NAT policy to ensure it's evaluated first.

Remove Existing Auto-generated Rules:

Review your current NAT policy.
Identify and remove any auto-generated VPN NAT rules.

Configure Manual NAT for Internet Traffic:

Create another manual NAT rule for traffic destined for the internet.
Set the source as your local network and translate it to your external interface.

Apply and Deploy Changes:

After making these changes, save your NAT policy.
Deploy the configuration to your managed devices. Remember to test your VPN connection thoroughly after making these changes to ensure everything is working as expected. If you encounter any issues, you may need to adjust your firewall rules or VPN configuration accordingly.

References

https://docs.defenseorchestrator.com/t_exempt-site-to-site-vpn-traffic-from-nat.html

https://community.cisco.com/t5/vpn/nat-exempt-in-asa-and-fmc/td-p/4169182

https://integratingit.wordpress.com/2022/01/16/asa-nat-exemption/

please do not forget to rate.

MHM Cisco World · ‎09-23-2024

It not NAT issue,

You need for VPN traffic using ACP trust to bypass the traffic from inspect by snort.

Or you can use option ACP bypass in vpn ipsec.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

MHM