Cisco ha traducido este documento combinando la traducción automática y los recursos humanos a fin de ofrecer a nuestros usuarios en todo el mundo contenido en su propio idioma. Tenga en cuenta que incluso la mejor traducción automática podría no ser tan precisa como la proporcionada por un traductor profesional. Cisco Systems, Inc. no asume ninguna responsabilidad por la precisión de estas traducciones y recomienda remitirse siempre al documento original escrito en inglés (insertar vínculo URL).
Este documento describe cómo configurar y verificar la traducción de la dirección de la red básica (NAT) en la defensa de la amenaza de FirePOWER (FTD).
No hay requisitos específicos para este documento.
La información que contiene este documento se basa en las siguientes versiones de software y hardware.
Tiempo de la realización del laboratorio: 1 hora.
La información que contiene este documento se creó a partir de los dispositivos en un ambiente de laboratorio específico. Todos los dispositivos que se utilizan en este documento se pusieron en funcionamiento con una configuración verificada (predeterminada). Si tiene una red en vivo, asegúrese de entender el posible impacto de cualquier comando.
FTD utiliza las mismas opciones de configuración del NAT que el dispositivo de seguridad adaptante clásico (ASA):
Puesto que la configuración FTD se hace del FMC cuando se trata de la configuración del NAT, es necesario ser familiar con el GUI FMC y las diversas opciones de configuración.
Configure el NAT según estos requisitos:
Nombre de la política NAT |
El nombre del dispositivo FTD |
Regla NAT |
Regla manual NAT |
Tipo NAT |
Estático |
Inserte |
En la sección 1 |
Interfaz de origen |
inside* |
Interfaz de destino |
dmz* |
Fuente original |
192.168.75.14 |
Fuente traducida |
192.168.76.100 |
Zonas de Seguridad del *Use para la regla NAT
NAT estática
Solución:
Mientras que en el ASA clásico, usted tiene que utilizar el nameif en las reglas NAT. En FTD, usted necesita utilizar las zonas o a los grupos de interfaces de Seguridad.
Paso 1. Asigne los interfaces a las zonas de Seguridad/a los grupos de interfaces.
En esta tarea, se decide para asignar los interfaces FTD que se utiliza para el NAT a las zonas de Seguridad. Alternativamente, usted puede asignarlas a los grupos de interfaces tal y como se muestra en de la imagen.
Paso 2. El resultado está tal y como se muestra en de la imagen.
Paso 3. Usted puede crear/corrige los grupos de interfaces y las zonas de Seguridad de los objetos > la página de la Administración del objeto tal y como se muestra en de la imagen.
Zonas de Seguridad contra los grupos de interfaces
La diferencia principal entre las zonas de Seguridad y los grupos de interfaces es que un interfaz puede pertenecer a solamente una zona de Seguridad, pero puede pertenecer a los grupos de la interfaz múltiple. Tan prácticamente, los grupos de interfaces proporcionan a más flexibilidad.
Usted puede ver que el interior del interfaz pertenece a dos diversos grupos de interfaces, solamente solamente una zona de Seguridad tal y como se muestra en de la imagen.
Paso 4. Configure el NAT estático en FTD.
Navegue a los dispositivos > al NAT y cree una política NAT. Seleccione la nueva defensa NAT de la directiva > de la amenaza tal y como se muestra en de la imagen.
Paso 5. Especifique el nombre de la directiva y asígnelo a un dispositivo objetivo tal y como se muestra en de la imagen.
Paso 6. Agregue una regla NAT a la directiva, haga clic en agregan la regla.
Especifique éstos según los requisitos de la tarea tal y como se muestra en de las imágenes.
Host A = 192.168.75.14
Host B = 192.168.76.100
firepower# show run object object network Host-A host 192.168.75.14 object network Host-B host 192.168.76.100
Advertencia: Si usted configura el NAT estático y especifica un interfaz como la fuente traducida entonces toda trafica destinado a la dirección IP del interfaz se está reorientando. Los usuarios pueden no poder tener acceso a cualquier servicio activado en el interfaz asociado. Los ejemplos de tales servicios incluyen los protocolos de la encaminamiento como el OSPF y EIGRP.
Paso 7. El resultado está tal y como se muestra en de la imagen.
Paso 8. Asegúrese de que haya una directiva del control de acceso que permite que el host B tenga acceso al host A y vice versa. Recuerde que el NAT estático es bidireccional por abandono. Similar a los ASA clásicos, observe el uso de IPs.This real se espera puesto que en este laboratorio, LINA funciona con el código 9.6.1.x tal y como se muestra en de la imagen.
Verificación:
De LINA CLI:
firepower# show run nat nat (inside,dmz) source static Host-A Host-B
La regla NAT fue insertada en la sección 1 como se esperaba:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (dmz) source static Host-A Host-B translate_hits = 0, untranslate_hits = 0
Nota: Los 2 xlates que se crean en el fondo.
firepower# show xlate 2 in use, 4 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from inside:192.168.75.14 to dmz:192.168.76.100 flags sT idle 0:41:49 timeout 0:00:00 NAT from dmz:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 0:41:49 timeout 0:00:00
Las tablas ASP NAT:
firepower# show asp table classify domain nat Input Table in id=0x7ff6036a9f50, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside Output Table: L2 - Output Table: L2 - Input Table: Last clearing of hits counters: Never
firepower# show asp table classify domain nat-reverse Input Table Output Table: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside out id=0x7ff603638470, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz L2 - Output Table: L2 - Input Table: Last clearing of hits counters: Never
Captura del permiso con el detalle del rastro en FTD y el ping del host A al host B y tal y como se muestra en de la imagen.
firepower# capture DMZ interface dmz trace detail match ip host 192.168.76.14 host 192.168.76.100 firepower# capture INSIDE interface inside trace detail match ip host 192.168.76.14 host 192.168.75.14
Las cuentas del golpe están en las tablas ASP:
firepower# show asp table classify domain nat Input Table in id=0x7ff6036a9f50, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=4, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside
firepower# show asp table classify domain nat-reverse Input Table Output Table: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=4, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside out id=0x7ff603638470, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz
Las demostraciones de la captura de paquetes:
firepower# show capture DMZ 8 packets captured 1: 17:38:26.324812 192.168.76.14 > 192.168.76.100: icmp: echo request 2: 17:38:26.326505 192.168.76.100 > 192.168.76.14: icmp: echo reply 3: 17:38:27.317991 192.168.76.14 > 192.168.76.100: icmp: echo request 4: 17:38:27.319456 192.168.76.100 > 192.168.76.14: icmp: echo reply 5: 17:38:28.316344 192.168.76.14 > 192.168.76.100: icmp: echo request 6: 17:38:28.317824 192.168.76.100 > 192.168.76.14: icmp: echo reply 7: 17:38:29.330518 192.168.76.14 > 192.168.76.100: icmp: echo request 8: 17:38:29.331983 192.168.76.100 > 192.168.76.14: icmp: echo reply 8 packets shown
Rastros de un paquete (se destacan los puntos importantes).
Nota: La identificación de la regla NAT y de su correlación con la tabla ASP:
firepower# show capture DMZ packet-number 3 trace detail 8 packets captured 3: 17:38:27.317991 000c.2998.3fec d8b1.90b7.32e0 0x0800 Length: 74 192.168.76.14 > 192.168.76.100: icmp: echo request (ttl 128, id 9975) Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602c72be0, priority=13, domain=capture, deny=false hits=55, user_data=0x7ff602b74a50, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=dmz, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x7ff603612200, priority=1, domain=permit, deny=false hits=1, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=dmz, output_ifc=any Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,dmz) source static Host-A Host-B Additional Information: NAT divert to egress interface inside Untranslate 192.168.76.100/0 to 192.168.75.14/0 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.76.14 host 192.168.75.14 rule-id 268434440 access-list CSM_FW_ACL_ remark rule-id 268434440: ACCESS POLICY: FTD5506-1 - Mandatory/2 access-list CSM_FW_ACL_ remark rule-id 268434440: L4 RULE: Host-B to Host-A Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x7ff602b72610, priority=12, domain=permit, deny=false hits=1, user_data=0x7ff5fa9d0180, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.76.14, mask=255.255.255.255, port=0, tag=any, ifc=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, ifc=any, vlan=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7ff60367cf80, priority=7, domain=conn-set, deny=false hits=1, user_data=0x7ff603677080, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,dmz) source static Host-A Host-B Additional Information: Static translate 192.168.76.14/1 to 192.168.76.14/1 Forward Flow based lookup yields rule: in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=1, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602220020, priority=0, domain=nat-per-session, deny=true hits=2, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff6035c0af0, priority=0, domain=inspect-ip-options, deny=true hits=1, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602b5f020, priority=70, domain=inspect-icmp, deny=false hits=2, user_data=0x7ff602be7460, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff602b3a6d0, priority=70, domain=inspect-icmp-error, deny=false hits=2, user_data=0x7ff603672ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=any Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,dmz) source static Host-A Host-B Additional Information: Forward Flow based lookup yields rule: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=2, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7ff602220020, priority=0, domain=nat-per-session, deny=true hits=4, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x7ff602c56d10, priority=0, domain=inspect-ip-options, deny=true hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 5084, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_snort snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_inspect_icmp snp_fp_snort snp_fp_adjacency snp_fp_fragment snp_ifc_stat Phase: 15 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 16 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Verdict: (pass-packet) allow this packet Phase: 17 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.75.14 using egress ifc inside Phase: 18 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address 000c.2930.2b78 hits 140694538708414 Phase: 19 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x7ff6036a94e0, priority=13, domain=capture, deny=false hits=14, user_data=0x7ff6024aff90, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=inside, output_ifc=any Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow 1 packet shown
Configure el NAT según estos requisitos:
Regla NAT |
Regla manual NAT |
Tipo NAT |
Dinámico |
Inserte |
En la sección 1 |
Interfaz de origen |
inside* |
Interfaz de destino |
outside* |
Fuente original |
192.168.75.0/24 |
Fuente traducida |
Interfaz exterior (PALMADITA) |
Zonas de Seguridad del *Use para la regla NAT
NAT estática
PALMADITA
Solución:
Paso 1. Agregue una segunda regla NAT y configurela según los requisitos de la tarea tal y como se muestra en de la imagen.
Paso 2. Aquí es cómo la PALMADITA se configura tal y como se muestra en de la imagen.
Paso 3. El resultado está tal y como se muestra en de la imagen.
Paso 4. Para el resto de este laboratorio, configure la directiva del control de acceso para permitir que todo el tráfico vaya a través.
Verificación:
Configuración del NAT:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 2 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 0, untranslate_hits = 0
De LINA CLI observe la nueva entrada:
firepower# show xlate 3 in use, 19 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from inside:192.168.75.14 to dmz:192.168.76.100 flags sT idle 1:15:14 timeout 0:00:00 NAT from dmz:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 1:15:14 timeout 0:00:00 NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 0:04:02 timeout 0:00:00
Active la captura en las interfaces interior y exterior. En el rastro del permiso de la captura del interior:
firepower# capture CAPI trace interface inside match ip host 192.168.75.14 host 192.168.77.1 firepower# capture CAPO interface outside match ip any host 192.168.77.1
Haga ping del host A (192.168.75.14) a IP 192.168.77.1 tal y como se muestra en de la imagen.
En las capturas de LINA, usted puede ver la traducción de la PALMADITA:
firepower# show cap CAPI 8 packets captured 1: 18:54:43.658001 192.168.75.14 > 192.168.77.1: icmp: echo request 2: 18:54:43.659099 192.168.77.1 > 192.168.75.14: icmp: echo reply 3: 18:54:44.668544 192.168.75.14 > 192.168.77.1: icmp: echo request 4: 18:54:44.669505 192.168.77.1 > 192.168.75.14: icmp: echo reply 5: 18:54:45.682368 192.168.75.14 > 192.168.77.1: icmp: echo request 6: 18:54:45.683421 192.168.77.1 > 192.168.75.14: icmp: echo reply 7: 18:54:46.696436 192.168.75.14 > 192.168.77.1: icmp: echo request 8: 18:54:46.697412 192.168.77.1 > 192.168.75.14: icmp: echo reply
firepower# show cap CAPO 8 packets captured 1: 18:54:43.658672 192.168.77.6 > 192.168.77.1: icmp: echo request 2: 18:54:43.658962 192.168.77.1 > 192.168.77.6: icmp: echo reply 3: 18:54:44.669109 192.168.77.6 > 192.168.77.1: icmp: echo request 4: 18:54:44.669337 192.168.77.1 > 192.168.77.6: icmp: echo reply 5: 18:54:45.682932 192.168.77.6 > 192.168.77.1: icmp: echo request 6: 18:54:45.683207 192.168.77.1 > 192.168.77.6: icmp: echo reply 7: 18:54:46.697031 192.168.77.6 > 192.168.77.1: icmp: echo request 8: 18:54:46.697275 192.168.77.1 > 192.168.77.6: icmp: echo reply
Rastros de un paquete con las secciones importantes destacadas:
firepower# show cap CAPI packet-number 1 trace 8 packets captured 1: 18:54:43.658001 192.168.75.14 > 192.168.77.1: icmp: echo request Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.77.1 using egress ifc outside Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Dynamic translate 192.168.75.14/1 to 192.168.77.6/1 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 6981, packet dispatched to next module Phase: 15 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Config: Additional Information: Application: 'SNORT Inspect' Phase: 16 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Verdict: (pass-packet) allow this packet Phase: 17 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.77.1 using egress ifc outside Phase: 18 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address c84c.758d.4980 hits 140694538709114 Phase: 19 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow 1 packet shown
El xlate dinámico fue creado (observe los indicadores del “ri”):
firepower# show xlate 4 in use, 19 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net NAT from inside:192.168.75.14 to dmz:192.168.76.100 flags sT idle 1:16:47 timeout 0:00:00 NAT from dmz:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 1:16:47 timeout 0:00:00 NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0 flags sIT idle 0:05:35 timeout 0:00:00 ICMP PAT from inside:192.168.75.14/1 to outside:192.168.77.6/1 flags ri idle 0:00:30 timeout 0:00:30
En la LINA le registra ven:
firepower# show log May 31 2016 18:54:43: %ASA-7-609001: Built local-host inside:192.168.75.14 May 31 2016 18:54:43: %ASA-6-305011: Built dynamic ICMP translation from inside:192.168.75.14/1 to outside:192.168.77.6/1 May 31 2016 18:54:43: %ASA-7-609001: Built local-host outside:192.168.77.1 May 31 2016 18:54:43: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.75.14/1 gaddr 192.168.77.1/0 laddr 192.168.77.1/0 May 31 2016 18:54:43: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.75.14/1 gaddr 192.168.77.1/0 laddr 192.168.77.1/0 May 31 2016 18:54:43: %ASA-7-609002: Teardown local-host outside:192.168.77.1 duration 0:00:00 May 31 2016 18:55:17: %ASA-6-305012: Teardown dynamic ICMP translation from inside:192.168.75.14/1 to outside:192.168.77.6/1 duration 0:00:34
Secciones NAT:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 2 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 94, untranslate_hits = 138
Demostración de las tablas ASP:
firepower# show asp table classify domain nat Input Table in id=0x7ff6036a9f50, priority=6, domain=nat, deny=false hits=0, user_data=0x7ff60314dbf0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz in id=0x7ff603696860, priority=6, domain=nat, deny=false hits=4, user_data=0x7ff602be3f80, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.76.100, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside in id=0x7ff602c75f00, priority=6, domain=nat, deny=false hits=94, user_data=0x7ff6036609a0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.75.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=outside in id=0x7ff603681fb0, priority=6, domain=nat, deny=false hits=276, user_data=0x7ff60249f370, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.77.6, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside
firepower# show asp table classify domain nat-reverse Input Table Output Table: out id=0x7ff603685350, priority=6, domain=nat-reverse, deny=false hits=4, user_data=0x7ff60314dbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=dmz, output_ifc=inside out id=0x7ff603638470, priority=6, domain=nat-reverse, deny=false hits=0, user_data=0x7ff602be3f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.14, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=dmz out id=0x7ff60361bda0, priority=6, domain=nat-reverse, deny=false hits=138, user_data=0x7ff6036609a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=192.168.75.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside out id=0x7ff60361c180, priority=6, domain=nat-reverse, deny=false hits=94, user_data=0x7ff60249f370, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.75.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=outside
Configure el NAT según estos requisitos:
Regla NAT |
Regla manual NAT |
Tipo NAT |
Estático |
Inserte |
En las reglas existentes de la sección 1 sobre todo |
Interfaz de origen |
inside* |
Interfaz de destino |
outside* |
Fuente original |
192.168.75.0/24 |
Fuente traducida |
192.168.75.0/24 |
Destino original |
10.1.1.0/24 |
Destino traducido |
10.1.1.0/24 |
Zonas de Seguridad del *Use para la regla NAT
NAT estática
PALMADITA
Exención de NAT
Solución:
Paso 1. Agregue una tercera regla NAT y configurela por los requisitos de la tarea tal y como se muestra en de la imagen.
Paso 2. Realice las operaciones de búsqueda de la ruta para la determinación de la interfaz de egreso.
Nota: Para las reglas NAT de la identidad, como la que usted agregó, usted puede cambiar cómo la interfaz de egreso es resuelta y utiliza las operaciones de búsqueda normales de la ruta tal y como se muestra en de la imagen.
Verificación:
firepower# show run nat nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits nat (inside,dmz) source static Host-A Host-B nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 0, untranslate_hits = 0 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 96, untranslate_hits = 138
Ejecute el paquete-trazalíneas para el tráfico no VPN originario por dentro de la red. La regla de la PALMADITA se utiliza como se esperaba:
firepower# packet-tracer input inside tcp 192.168.75.14 1111 192.168.77.1 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.77.1 using egress ifc outside Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Dynamic translate 192.168.75.14/1111 to 192.168.77.6/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface Additional Information: Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7227, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
Ejecute el paquete-trazalíneas para el tráfico que debe pasar a través del túnel VPN (funcionamiento él dos veces puesto que el primer intento trae el túnel VPN para arriba).
Nota: Usted debe golpear la regla de la exención de NAT.
Primera tentativa del paquete-trazalíneas:
firepower# packet-tracer input inside tcp 192.168.75.14 1111 10.1.1.1 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: NAT divert to egress interface outside Untranslate 10.1.1.1/80 to 10.1.1.1/80 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: Static translate 192.168.75.14/1111 to 192.168.75.14/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
Segunda tentativa del paquete-trazalíneas:
firepower# packet-tracer input inside tcp 192.168.75.14 1111 10.1.1.1 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: NAT divert to egress interface outside Untranslate 10.1.1.1/80 to 10.1.1.1/80 Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: Static translate 192.168.75.14/1111 to 192.168.75.14/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 10 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits Additional Information: Phase: 11 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7226, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
Verificación de la cuenta del golpe NAT:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 9, untranslate_hits = 9 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 98, untranslate_hits = 138
Configure el NAT según estos requisitos:
Regla NAT |
Regla auto NAT |
Tipo NAT |
Estático |
Inserte |
En la sección 2 |
Interfaz de origen |
inside* |
Interfaz de destino |
dmz* |
Fuente original |
192.168.75.99 |
Fuente traducida |
192.168.76.99 |
Traduzca las contestaciones DNS que hacen juego esta regla |
Activado |
Zonas de Seguridad del *Use para la regla NAT
Solución:
Paso 1. Configure la regla según los requisitos de la tarea tal y como se muestra en de las imágenes.
Paso 2. El resultado está tal y como se muestra en de la imagen.
Verificación:
firepower# show run nat nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits nat (inside,dmz) source static Host-A Host-B nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface ! object network obj-192.168.75.99 nat (inside,dmz) static obj-192.168.76.99 dns
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 9, untranslate_hits = 9 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 98, untranslate_hits = 138 Auto NAT Policies (Section 2) 1 (inside) to (dmz) source static obj-192.168.75.99 obj-192.168.76.99 dns translate_hits = 0, untranslate_hits = 0
Verificación con el paquete-trazalíneas:
firepower# packet-tracer input inside tcp 192.168.75.99 1111 192.168.76.100 80 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.76.100 using egress ifc dmz Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: object network obj-192.168.75.99 nat (inside,dmz) static obj-192.168.76.99 dns Additional Information: Static translate 192.168.75.99/1111 to 192.168.76.99/1111 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7245, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: allow
Configure el NAT según estos requisitos:
Regla NAT |
Regla manual NAT |
Tipo NAT |
Dinámico |
Inserte |
En la sección 3 |
Interfaz de origen |
inside* |
Interfaz de destino |
dmz* |
Fuente original |
192.168.75.0/24 |
Fuente traducida |
192.168.76.20-22 |
Utilice el rango entero (1-65535) |
Activado |
Zonas de Seguridad del *Use para la regla NAT
Solución:
Paso 1. Configure la regla por los requisitos de la tarea tal y como se muestra en de las imágenes.
Paso 2. Active el rango plano del puerto con incluyen los puertos de Reserver que permite el uso del rango entero (1-65535) tal y como se muestra en de la imagen.
Paso 3. El resultado está tal y como se muestra en de la imagen.
Verificación:
firepower# show run nat nat (inside,outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits nat (inside,dmz) source static Host-A Host-B nat (inside,outside) source dynamic Net_192.168.75.0_24bits interface ! object network obj-192.168.75.99 nat (inside,dmz) static obj-192.168.76.99 dns ! nat (inside,dmz) after-auto source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve
La regla está en la sección 3:
firepower# show nat Manual NAT Policies (Section 1) 1 (inside) to (outside) source static Net_192.168.75.0_24bits Net_192.168.75.0_24bits destination static net_10.1.1.0_24bits net_10.1.1.0_24bits translate_hits = 9, untranslate_hits = 9 2 (inside) to (dmz) source static Host-A Host-B translate_hits = 26, untranslate_hits = 26 3 (inside) to (outside) source dynamic Net_192.168.75.0_24bits interface translate_hits = 98, untranslate_hits = 138 Auto NAT Policies (Section 2) 1 (inside) to (dmz) source static obj-192.168.75.99 obj-192.168.76.99 dns translate_hits = 1, untranslate_hits = 0 Manual NAT Policies (Section 3) 1 (inside) to (dmz) source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve translate_hits = 0, untranslate_hits = 0
verificación del Paquete-trazalíneas:
firepower# packet-tracer input inside icmp 192.168.75.15 8 0 192.168.76.5 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.76.5 using egress ifc dmz Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434434 access-list CSM_FW_ACL_ remark rule-id 268434434: ACCESS POLICY: FTD5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434434: L4 RULE: DEFAULT ACTION RULE Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 5 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (inside,dmz) after-auto source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve Additional Information: Dynamic translate 192.168.75.15/0 to 192.168.76.20/11654 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 11 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside,dmz) after-auto source dynamic Net_192.168.75.0_24bits pat-pool range-192.168.76.20-22 flat include-reserve Additional Information: Phase: 12 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7289, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: allow
Utilize esta sección para confirmar que su configuración funcione correctamente.
La verificación se ha explicado en las secciones de las tareas individuales.
Esta sección brinda información que puede utilizar para la solución de problemas en su configuración.
Abra la página avanzada del troubleshooting en el FMC, ejecute el paquete-trazalíneas y después funcione con el comando pool nacional de la demostración.
Observe la entrada que utiliza el rango entero tal y como se muestra en de la imagen.
https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html#id_47280
http://www.ciscopress.com/title/9781587144806
https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html