Re: Issues with DNAT on FMC managed FTD (FPR 3110) - Cisco Community

1043

Views

0

Helpful

16

Replies

Hello,

I came through a situation for the past couple of days:

I have 2 Firewall stages, Core and Perimeter (each stage with 2xFPR3110):

Scenario:

-My perimeter firewall is point-to-point connected on a /27 public subnet with my Border router that's interconnecting with the ISP [PerimeterFW ---/27 public subnet ---> MY Border router --- /30 public subnet ---> ISP Router]

From the /27 subnet, i used one IP on Perimeter FW interface, and one on MY Border router

- The request was the following: the user wants to connect on tcp/22 using on one of the remaining IPs from the public /27 subnet, and to be redirected to an internal resource.

For this request i've performed DNAT. did access rule, made sure that i do have a valid route towards internal resource

The point here is that when i test with packet tracer, the flow is allowed, but in reality its not working.

Another funny thing is that for testing purpose i've allowed ICMP on the public IP from the perimeter firewall and is not working. It looks like the Access policies are not doing anything. I ve also allowed icmp from platform settings and the same result not working.

I mention that the segment between ISP router and Perimeter firewall (that /27 is router properly, as i can ICMP reach MY border router on that interface)

I mention that i ve double checked the zones, routing and access policies.

Please help

16 Replies 16

Hello,

I came through a situation for the past couple of days:

I have 2 Firewall stages, Core and Perimeter (each stage with 2xFPR3110):

Scenario:

-My perimeter firewall is point-to-point connected on a /27 public subnet with my Border router that's interconnecting with the ISP [PerimeterFW ---/27 public subnet ---> MY Border router --- /30 public subnet ---> ISP Router]

From the /27 subnet, i used one IP on Perimeter FW interface, and one on MY Border router

- The request was the following: the user wants to connect on tcp/22 using on one of the remaining IPs from the public /27 subnet, and to be redirected to an internal resource.

For this request i've performed DNAT. did access rule, made sure that i do have a valid route towards internal resource

The point here is that when i test with packet tracer, the flow is allowed, but in reality its not working.

Another funny thing is that for testing purpose i've allowed ICMP on the public IP from the perimeter firewall and is not working. It looks like the Access policies are not doing anything. I ve also allowed icmp from platform settings and the same result not working.

I mention that the segment between ISP router and Perimeter firewall (that /27 is router properly, as i can ICMP reach MY border router on that interface)

I mention that i ve double checked the zones, routing and access policies.

Please help

what FMC and FTD Version ?

i would cross check the configuration one more time -

you confirmed from out side packet coming in ISP router, but you do not see the traffic in FW ? Do you have routing correctly from ISP Router to route back where the packet need to go when the incoming packet coming in ?

what ISP router, can you post configuration and routing information.

If the packet coming in to FW - i am sure you see on FMC either drop or allowed. (not necessary to have ACL).

try packet-tracer and post the output here.

check below guide for reference :

https://rayka-co.com/lesson/cisco-ftd-nat-configuration/

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I am using FMC version 7.3.1 / FTDs version 7.3.1
- I have on Perimeter firewall a default route towards remote p2p IP with MY Border router and static route to LAN resource subnet via interconnect with Core Fw IP.

packet tracer :

> packet-tracer input PO-INTERNET tcp 109.166.151.139 22 188.241.73.100 22 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 15532 ns
Config:
nat (PO-INTERNET,INTERCONNECT) source static Idemia+GTS Idemia+GTS destination static host_188.241.73.100 dmz_sftp_srv_200.60 service SVC_12884936190 SVC_12884936190
Additional Information:
NAT divert to egress interface INTERCONNECT(vrfid:0)
Untranslate 188.241.73.100/22 to 10.10.200.60/22

Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 5
Object Group Search: 0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 0 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc PO-INTERNET any any rule-id 268435473
access-list CSM_FW_ACL_ remark rule-id 268435473: ACCESS POLICY: PerimeterFW - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435473: L7 RULE: GeoLocation-BLOCK
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x14fde4efbfd0, priority=12, domain=permit, deny=false
hits=1, user_data=0x14fdc3bb1c40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=PO-INTERNET(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14fde50e2480, priority=7, domain=conn-set, deny=false
hits=66, user_data=0x14fde67135c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=PO-INTERNET(vrfid:0), output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
nat (PO-INTERNET,INTERCONNECT) source static Idemia+GTS Idemia+GTS destination static host_188.241.73.100 dmz_sftp_srv_200.60 service SVC_12884936190 SVC_12884936190
Additional Information:
Static translate 109.166.151.139/22 to 109.166.151.139/22
Forward Flow based lookup yields rule:
in id=0x14fde4a00c60, priority=6, domain=nat, deny=false
hits=15, user_data=0x14fde4366080, cs_id=0x0, flags=0x0, protocol=6
src ip/id=109.166.151.139, mask=255.255.255.255, port=0, tag=any
dst ip/id=188.241.73.100, mask=255.255.255.255, port=22, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=PO-INTERNET(vrfid:0), output_ifc=INTERCONNECT(vrfid:0)

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14fddfdd92d0, priority=0, domain=nat-per-session, deny=false
hits=109, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14fde4f59160, priority=0, domain=inspect-ip-options, deny=true
hits=100, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=PO-INTERNET(vrfid:0), output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 16591 ns
Config:
nat (PO-INTERNET,INTERCONNECT) source static Idemia+GTS Idemia+GTS destination static host_188.241.73.100 dmz_sftp_srv_200.60 service SVC_12884936190 SVC_12884936190
Additional Information:
Forward Flow based lookup yields rule:
out id=0x14fde1895f90, priority=6, domain=nat-reverse, deny=false
hits=18, user_data=0x14fde625c040, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=109.166.151.139, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.200.60, mask=255.255.255.255, port=22, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=PO-INTERNET(vrfid:0), output_ifc=INTERCONNECT(vrfid:0)

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 17650 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14fddfdd92d0, priority=0, domain=nat-per-session, deny=false
hits=111, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any,
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14fde4ab96f0, priority=0, domain=inspect-ip-options, deny=true
hits=10095, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
src nsg_id=none, dst nsg_id=none
dscp=0x0, input_ifc=INTERCONNECT(vrfid:0), output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 8119 ns
Config:
Additional Information:
New flow created with id 13314, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 16944 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 13
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 27637 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)

Phase: 14
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 82070 ns
Config:
Network 0, Inspection 0, Detection 2, Rule ID 268435475
Additional Information:
Starting rule matching, zone 2 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268435475 - Allow

Phase: 15
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 5295 ns
Config:
Additional Information:
Found next-hop 10.11.11.1 using egress ifc INTERCONNECT(vrfid:0)

Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 1412 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.11.11.1 on interface INTERCONNECT
Adjacency :Active
MAC address 6879.099f.edb0 hits 16 reference 1

Result:
input-interface: PO-INTERNET(vrfid:0)
input-status: up
input-line-status: up
output-interface: INTERCONNECT(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 191250 ns

I mention that the routing on MY Border router is really simple: default route towards ISP and the /27 network is known as connected as an ip from that subnet is connected on my interface towards the perimeter firewall

can you draw the topology
thanks

MHM

Each stage two FW' are it config as HA or as cluster?

Draw topolgy will be big help for us to get issue here

MHM

i didn't finished the HA configuration, so for this case/ purpose, we ll consider each stage as only one firewall member

Sure, scenario and request below:

AND i forgot to mention that i also have a default route on Perimeter FW pointing to 77.1.1.2

The perimeter FW will do NATing of DMZ into internet Zone IP ?

MHM

On the perimeter FW i did the DNAT rule regarding IN traffic, from what i know i don t need to do the oposite nat right?

Can I see NAT you use via FMC

MHM

Untranslate 188.241.73.100/22 to 10.10.200.60/22

This IP confuse me ? Where is this IP?

MHM

This IP is from that /27 public subnet between perimeter Firewall and border router. Is the IP chosen by sysadmins to be exposed with NAT and accessed in order to reach the DMZ host 10.10.200.60

On my diagram i didnt put the real IPs

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community