To configure a NAT policy in FTD, go to Policies tab (top) > NAT.
Notice there's a default Dynamic NAT which allows any IPv4 subnet on the inside to be NAT'd (PAT) using the outside interface (Internet).
Under Actions column (far right) > click Edit (blue pencil icon).
Change the Title: IN-OUT-DNAT > leave the default Status: enable.
Under
Placement > leave the default option: Before Auto NAT Rules.
Under Type > leave the default: Dynamic.
Under Packet Translation tab > Original Packet > Source Interface > leave the default option: inside.
Under Source Address > click Create new Network.
Type
a Name: Obj-192.168.1.0-24 (a "/" is an invalid character) > optionally
type a friendly Description > Under Type > leave the default option:
Network > under Network > type the Network and Subnet Mask in CIDR
notiation: 192.168.1.0/24 > click OK.
Select the newly created object under Source Address.
Leave the default options for the Translated Packet.
Click on the Show Diagram to view the NAT translation diagram > click OK to finish.
Click Deployment (top icon with amber/orange dot).
View the Pending Changes > click Deploy Now.
I visited Cisco.com to test.
You can use the show nat, show xlate and show conn which are similar to the ASA commands.
> show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Obj-192.168.1.0-24 interface
translate_hits = 459, untranslate_hits = 1
Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf2 interface service tcp https https
translate_hits = 0, untranslate_hits = 138
2 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_intf2 interface service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_ipv6_intf2 interface ipv6 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf3 interface
translate_hits = 378, untranslate_hits = 181
6 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
9 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
> show nat
detail divert-table interface object object-group pool
proxy-arp translated |
> show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Obj-192.168.1.0-24 interface
translate_hits = 490, untranslate_hits = 1
Source - Origin: 192.168.1.0/24, Translated: 116.87.123.45/18
Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf2 interface service tcp https https
translate_hits = 0, untranslate_hits = 138
Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24
Service - Protocol: tcp Real: https Mapped: https
2 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_intf2 interface service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24
Service - Protocol: tcp Real: ssh Mapped: ssh
3 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_ipv6_intf2 interface ipv6 service tcp ssh ssh
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
Service - Protocol: tcp Real: ssh Mapped: ssh
4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24
5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf3 interface
translate_hits = 380, untranslate_hits = 181
Source - Origin: 169.254.1.3/32, Translated: 116.87.123.45/18
6 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 169.254.1.3/32, Translated: 0.0.0.0/32
7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
9 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
Source - Origin: fd00:0:0:1::3/128, Translated:
> show xlate
356 in use, 358 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443
flags sr idle 0:00:28 timeout 0:00:00
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:30:27 timeout 0:00:00
UDP PAT from inside:192.168.1.10/61847 to outside:116.87.123.45/61847 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from inside:192.168.1.10/64302 to outside:116.87.123.45/64302 flags ri idle 0:00:01 timeout 0:00:30
UDP PAT from inside:192.168.1.10/64301 to outside:116.87.123.45/64301 flags ri idle 0:00:01 timeout 0:00:30
TCP PAT from inside:192.168.1.10/44752 to outside:116.87.123.45/44752 flags ri idle 0:00:01 timeout 0:00:30
UDP PAT from inside:192.168.1.10/56617 to outside:116.87.123.45/56617 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside:192.168.1.10/54290 to outside:116.87.123.45/54290 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside:192.168.1.10/60022 to outside:116.87.123.45/60022 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside:192.168.1.10/52535 to outside:116.87.123.45/52535 flags ri idle 0:00:08 timeout 0:00:30
<OUTPUT TRUNCATED>
> show conn
123 in use, 371 most used
Inspect Snort:
preserve-connection: 0 enabled, 0 in effect, 0 most enabled, 0 most in effect
TCP outside 104.244.42.3:443 inside 192.168.1.10:44855, idle 0:00:37, bytes 7936, flags UxIO
TCP outside 157.240.13.35:443 inside 192.168.1.10:44836, idle 0:00:38, bytes 15225, flags UxIO
TCP outside 52.98.42.130:443 inside 192.168.1.10:63005, idle 0:00:23, bytes 13124, flags UxIO
TCP outside 40.100.55.2:443 inside 192.168.1.10:63006, idle 0:00:13, bytes 25343, flags UxIO
TCP outside 40.100.29.34:443 inside 192.168.1.10:10477, idle 0:11:54, bytes 9876, flags UxIO
TCP outside 54.254.251.1:443 inside 192.168.1.10:36362, idle 0:00:37, bytes 7259, flags UxIO
TCP outside 34.198.199.106:443 inside 192.168.1.10:28062, idle 0:00:37, bytes 17145, flags UxIO
TCP outside 34.198.199.106:443 inside 192.168.1.10:36361, idle 0:00:10, bytes 18003, flags UxIO
TCP outside 173.37.149.105:443 inside 192.168.1.10:44840, idle 0:00:40, bytes 11198, flags UxIO
TCP outside 173.37.149.105:443 inside 192.168.1.10:40935, idle 0:00:42, bytes 10445, flags UxIO
TCP outside 173.37.149.105:443 inside 192.168.1.10:40930, idle 0:00:43, bytes 20451, flags UxIO
TCP outside 74.125.200.155:443 inside 192.168.1.10:7615, idle 0:00:39, bytes 12666, flags UxIO
TCP outside 172.217.24.102:443 inside 192.168.1.10:36357, idle 0:00:39, bytes 5063, flags UxIO
TCP outside 74.125.24.155:443 inside 192.168.1.10:36367, idle 0:00:37, bytes 6834, flags UxIO
TCP outside 74.125.24.155:443 inside 192.168.1.10:44843, idle 0:00:41, bytes 4747, flags UxIO
TCP outside 104.244.42.69:443 inside 192.168.1.10:44846, idle 0:00:38, bytes 6786, flags UxIO
TCP outside 52.114.14.151:443 inside 192.168.1.10:19879, idle 0:00:26, bytes 10267, flags UxIO
TCP outside 52.114.128.43:443 inside 192.168.1.10:18370, idle 0:00:00, bytes 18962, flags UxIO
TCP outside 52.114.128.43:443 inside 192.168.1.10:15920, idle 0:00:49, bytes 16654, flags UxIO
TCP outside 111.223.64.42:443 inside 192.168.1.10:19838, idle 0:05:56, bytes 6617, flags UxIO
TCP outside 72.163.10.124:443 inside 192.168.1.10:40931, idle 0:00:43, bytes 11399, flags UxIO
TCP outside 52.17.192.1:443 inside 192.168.1.10:4630, idle 0:00:09, bytes 69964, flags UxIO
UDP nlp_int_tap 169.254.1.3:123 outside 168.63.232.55:123, idle 0:00:31, bytes 7920, flags -
TCP outside 74.125.200.106:443 inside 192.168.1.10:44835, idle 0:00:38, bytes 13724, flags UxIO
<OUTPUT TRUNCATED>
There are several FTD Smart License types: Base License (perpetual), Threat, Malware, URL License which are term-based licenses and RA VPN (can be either perpetual or term-based).
• Base License: included by default which enables Networking, Firewall and Application Visibility Control (AVC)
• Threat- enables IPS and Security Intelligence
• Malware- enables dynamic analysis and sandboxing
• URL Filtering – enables category and reputation-based URL filtering
Aside
from activating the 90-day Evaluation license, you'll also need
to manually Enable each feature for Threat, Malware and URL Licenses.
Go to Smart License > View Configuration > Enable License.
You can Register the FTD device to the Cisco Smart Software Manager.
The Base License is automatically included and Enabled by default. The URL License was enabled in a previous post.
Click Enable under each License.
Notice the Status for the Threat, Malware and URL Licenses were all Enabled.
In addition to the URL License, it's best practice to ensure the Query Cisco CSI for Unknown URLs is enabled (enabled by default).
Go to Device > System Settings > Traffic Setting > URL Filtering Preferences.
I created my first Access Control rule to block a specific website or URL: Cisco.com
Go to Policies > Access Control > Add.
Type a Name: Block-Cisco-Site > select Action: Block.
Under Source Zones > click Add (plus icon) > select inside_zone > click OK.
Under Networks > click Add > select Obj-192.168.1.0-24 > click OK.
Under Destination > Zones > Add > select: outside_zone.
Go to URLs tab > click Add (blue plus icon).
Click
Create new URL.
Type the object name: Cisco-site > optionally type a Description > type the URL: cisco.com > click OK.
Select the newly created URL object > click OK.
Click OK.
Go to Logging tab > Select Log Action: At Beginning and End of Connection > click OK (bottom).
Use this type of Log Action with caution. You typically use this in a lab or when troubleshooting.
You can edit the Rule number or drag and drop its order. It's best practice to put the specific IP or sites to block on top of the Access Control rules.
Click Deployment > Deploy Now.
I visited Cisco.com but got an Access Denied page.
Go to Monitoring > Dashboard > Network Overview.
Notice there's a hit count (20) for the URL filtering rule: Block-Cisco-Site.
Click the rule name (a hyperlink) to view more details.
Go
to Events (bottom) to view real-time event logs.
Click Pause to temporarily pause the generating of Syslog messages.
Notice a Block under the Action column. Hover to a specific log > click View Details.
You can also type/search in the Filter Criteria field > click Filter to narrow down specific events.
I used the filter: Rule Action=Block.
I created a second Access Control rule to block websites according to a Category.
Click Add > select the Order: 1 > type a Title: Block-Porn > Action: Block > select Source > Zone: inside_zone > select Networks: Obj-192.168.1.0-24 > select Destination > Zone: outside_zone.
Go to URLs tab > type/search for Adult and Pornography > click OK.
Go to Logging > Select Log Action: At Beginning and End of Connection > click OK.
Click Deployment > Deploy Now.
I visited some Adult/Porn sites and got an Access Denied page.
Go to Monitoring > Network Overview to monitor the Access Rule hits.
Click on the specific rule (a hyperlink) to view more details.
Go to Events > filter using: Rule Action=Block > click Filter.
Hover to a specific event > click View Details.
I created a third Access Control rule to block Malware.
Note the Action: Allow is needed for Malware and File inspection to work properly.
Click Add > select the Order: 1 > type a Title: Block-Malware >
Action: Allow > select Source > Zone: inside_zone > select
Networks: Obj-192.168.1.0-24 > select Destination > Zone:
outside_zone.
Go to Intrusion Policy tab > enable Intrusion Policy > Level of Intrusion Policy > select: Balanced Security and Connectivity.
Go to File Policy tab > Select the File Policy: Block Malware All.
Go to Logging tab > Select Log Action: At Beginning and End of Connection.
Click OK > Deployment > Deploy Now.
You can go to Eicar.org to download a test malware file.
These are harmless file used to test your Anti-Virus or Anti-Malware policy.
Go to Monitoring > Network Overview. Notice the Block-Malware Access Rule got hits.
Click the specific rule (a hyperlink) to view more details.