Friday, December 4, 2020

Cisco Firepower 1010 NAT and Smart License

To configure a NAT policy in FTD, go to Policies tab (top) > NAT.

 

Notice there's a default Dynamic NAT which allows any IPv4 subnet on the inside to be NAT'd (PAT) using the outside interface (Internet).

 

Under Actions column (far right) > click Edit (blue pencil icon).

 


Change the Title: IN-OUT-DNAT > leave the default Status: enable.

Under Placement > leave the default option: Before Auto NAT Rules.

Under Type > leave the default: Dynamic.

Under Packet Translation tab > Original Packet > Source Interface > leave the default option: inside.

Under Source Address > click Create new Network.

Type a Name: Obj-192.168.1.0-24 (a "/" is an invalid character) > optionally type a friendly Description > Under Type > leave the default option: Network > under Network > type the Network and Subnet Mask in CIDR notiation: 192.168.1.0/24 > click OK.

Select the newly created object under Source Address.

Leave the default options for the Translated Packet.

 

Click on the Show Diagram to view the NAT translation diagram > click OK to finish.

 

Click Deployment (top icon with amber/orange dot).

View the Pending Changes > click Deploy Now.

I visited Cisco.com to test.

You can use the show nat, show xlate and show conn which are similar to the ASA commands.

 

> show nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic Obj-192.168.1.0-24 interface

    translate_hits = 459, untranslate_hits = 1

 

Auto NAT Policies (Section 2)

1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf2 interface  service tcp https https

    translate_hits = 0, untranslate_hits = 138

2 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_intf2 interface  service tcp ssh ssh

    translate_hits = 0, untranslate_hits = 0

3 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_ipv6_intf2 interface ipv6  service tcp ssh ssh

    translate_hits = 0, untranslate_hits = 0

4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface

    translate_hits = 0, untranslate_hits = 0

5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf3 interface

    translate_hits = 378, untranslate_hits = 181

6 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface

    translate_hits = 0, untranslate_hits = 0

7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6

    translate_hits = 0, untranslate_hits = 0

8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6

    translate_hits = 0, untranslate_hits = 0

9 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6

    translate_hits = 0, untranslate_hits = 0

 

> show nat

detail       divert-table interface    object       object-group pool

proxy-arp    translated   |    

      

> show nat detail

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic Obj-192.168.1.0-24 interface

    translate_hits = 490, untranslate_hits = 1

    Source - Origin: 192.168.1.0/24, Translated: 116.87.123.45/18

 

Auto NAT Policies (Section 2)

1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf2 interface  service tcp https https

    translate_hits = 0, untranslate_hits = 138

    Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24

    Service - Protocol: tcp Real: https Mapped: https

2 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_intf2 interface  service tcp ssh ssh

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24

    Service - Protocol: tcp Real: ssh Mapped: ssh

3 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_ipv6_intf2 interface ipv6  service tcp ssh ssh

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: fd00:0:0:1::3/128, Translated:

    Service - Protocol: tcp Real: ssh Mapped: ssh

4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24

5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf3 interface

    translate_hits = 380, untranslate_hits = 181

    Source - Origin: 169.254.1.3/32, Translated: 116.87.123.45/18

6 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 169.254.1.3/32, Translated: 0.0.0.0/32

7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: fd00:0:0:1::3/128, Translated:

8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: fd00:0:0:1::3/128, Translated:

9 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: fd00:0:0:1::3/128, Translated:

 

 

> show xlate

356 in use, 358 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

       s - static, T - twice, N - net-to-net

TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443

    flags sr idle 0:00:28 timeout 0:00:00

NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0

    flags sIT idle 0:30:27 timeout 0:00:00

 

UDP PAT from inside:192.168.1.10/61847 to outside:116.87.123.45/61847 flags ri idle 0:00:00 timeout 0:00:30

UDP PAT from inside:192.168.1.10/64302 to outside:116.87.123.45/64302 flags ri idle 0:00:01 timeout 0:00:30

UDP PAT from inside:192.168.1.10/64301 to outside:116.87.123.45/64301 flags ri idle 0:00:01 timeout 0:00:30

TCP PAT from inside:192.168.1.10/44752 to outside:116.87.123.45/44752 flags ri idle 0:00:01 timeout 0:00:30

UDP PAT from inside:192.168.1.10/56617 to outside:116.87.123.45/56617 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.10/54290 to outside:116.87.123.45/54290 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.10/60022 to outside:116.87.123.45/60022 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.10/52535 to outside:116.87.123.45/52535 flags ri idle 0:00:08 timeout 0:00:30

 

<OUTPUT TRUNCATED>

 

 

> show conn

123 in use, 371 most used

Inspect Snort:

        preserve-connection: 0 enabled, 0 in effect, 0 most enabled, 0 most in effect

 

TCP outside  104.244.42.3:443 inside  192.168.1.10:44855, idle 0:00:37, bytes 7936, flags UxIO

TCP outside  157.240.13.35:443 inside  192.168.1.10:44836, idle 0:00:38, bytes 15225, flags UxIO

TCP outside  52.98.42.130:443 inside  192.168.1.10:63005, idle 0:00:23, bytes 13124, flags UxIO

TCP outside  40.100.55.2:443 inside  192.168.1.10:63006, idle 0:00:13, bytes 25343, flags UxIO

TCP outside  40.100.29.34:443 inside  192.168.1.10:10477, idle 0:11:54, bytes 9876, flags UxIO

TCP outside  54.254.251.1:443 inside  192.168.1.10:36362, idle 0:00:37, bytes 7259, flags UxIO

TCP outside  34.198.199.106:443 inside  192.168.1.10:28062, idle 0:00:37, bytes 17145, flags UxIO

TCP outside  34.198.199.106:443 inside  192.168.1.10:36361, idle 0:00:10, bytes 18003, flags UxIO

TCP outside  173.37.149.105:443 inside  192.168.1.10:44840, idle 0:00:40, bytes 11198, flags UxIO

TCP outside  173.37.149.105:443 inside  192.168.1.10:40935, idle 0:00:42, bytes 10445, flags UxIO

TCP outside  173.37.149.105:443 inside  192.168.1.10:40930, idle 0:00:43, bytes 20451, flags UxIO

TCP outside  74.125.200.155:443 inside  192.168.1.10:7615, idle 0:00:39, bytes 12666, flags UxIO

TCP outside  172.217.24.102:443 inside  192.168.1.10:36357, idle 0:00:39, bytes 5063, flags UxIO

TCP outside  74.125.24.155:443 inside  192.168.1.10:36367, idle 0:00:37, bytes 6834, flags UxIO

TCP outside  74.125.24.155:443 inside  192.168.1.10:44843, idle 0:00:41, bytes 4747, flags UxIO

TCP outside  104.244.42.69:443 inside  192.168.1.10:44846, idle 0:00:38, bytes 6786, flags UxIO

TCP outside  52.114.14.151:443 inside  192.168.1.10:19879, idle 0:00:26, bytes 10267, flags UxIO

TCP outside  52.114.128.43:443 inside  192.168.1.10:18370, idle 0:00:00, bytes 18962, flags UxIO

TCP outside  52.114.128.43:443 inside  192.168.1.10:15920, idle 0:00:49, bytes 16654, flags UxIO

TCP outside  111.223.64.42:443 inside  192.168.1.10:19838, idle 0:05:56, bytes 6617, flags UxIO

TCP outside  72.163.10.124:443 inside  192.168.1.10:40931, idle 0:00:43, bytes 11399, flags UxIO

TCP outside  52.17.192.1:443 inside  192.168.1.10:4630, idle 0:00:09, bytes 69964, flags UxIO

UDP nlp_int_tap  169.254.1.3:123 outside  168.63.232.55:123, idle 0:00:31, bytes 7920, flags -

TCP outside  74.125.200.106:443 inside  192.168.1.10:44835, idle 0:00:38, bytes 13724, flags UxIO

 

<OUTPUT TRUNCATED>

 

 

There are several FTD Smart License types: Base License (perpetual), Threat, Malware, URL License which are term-based licenses and RA VPN (can be either perpetual or term-based).

 

Base License: included by default which enables Networking, Firewall and Application Visibility Control (AVC)
Threat- enables IPS and Security Intelligence
Malware- enables dynamic analysis and sandboxing

URL Filtering – enables category and reputation-based URL filtering


Aside from activating the 90-day Evaluation license, you'll also need to manually Enable each feature for Threat, Malware and URL Licenses.

 

Go to Smart License > View Configuration > Enable License.

 

You can Register the FTD device to the Cisco Smart Software Manager.

 

The Base License is automatically included and Enabled by default. The URL License was enabled in a previous post.

 

Click Enable under each License.

 


Notice the Status for the Threat, Malware and URL Licenses were all Enabled.


In addition to the URL License, it's best practice to ensure the Query Cisco CSI for Unknown URLs is enabled (enabled by default).

 

Go to Device > System Settings > Traffic Setting > URL Filtering Preferences.

 


I created my first Access Control rule to block a specific website or URL: Cisco.com 

Go to Policies > Access Control > Add.

Type a Name: Block-Cisco-Site > select Action: Block.

Under Source Zones > click Add (plus icon) > select inside_zone > click OK.

Under Networks > click Add > select Obj-192.168.1.0-24 > click OK.


Under Destination > Zones > Add > select: outside_zone.

Go to URLs tab > click Add (blue plus icon).

Click Create new URL.

Type the object name: Cisco-site > optionally type a Description > type the URL: cisco.com > click OK.

Select the newly created URL object > click OK.

Click OK.

Go to Logging tab > Select Log Action: At Beginning and End of Connection > click OK (bottom).

 

Use this type of Log Action with caution. You typically use this in a lab or when troubleshooting.

 

You can edit the Rule number or drag and drop its order. It's best practice to put the specific IP or sites to block on top of the Access Control rules.

Click Deployment > Deploy Now.

I visited Cisco.com but got an Access Denied page.

Go to Monitoring > Dashboard > Network Overview.

 

Notice there's a hit count (20) for the URL filtering rule: Block-Cisco-Site.

 

Click the rule name (a hyperlink) to view more details.

Go to Events (bottom) to view real-time event logs.

Click Pause to temporarily pause the generating of Syslog messages.

 

Notice a Block under the Action column. Hover to a specific log > click View Details.

 




You can also type/search in the Filter Criteria field > click Filter to narrow down specific events.

 

I used the filter: Rule Action=Block.

 


I created a second Access Control rule to block websites according to a Category.

 

Click Add > select the Order: 1 > type a Title: Block-Porn > Action: Block > select Source > Zone: inside_zone > select Networks: Obj-192.168.1.0-24 > select Destination > Zone: outside_zone.

 

Go to URLs tab > type/search for Adult and Pornography > click OK.



Go to Logging > Select Log Action: At Beginning and End of Connection > click OK.

Click Deployment > Deploy Now.

I visited some Adult/Porn sites and got an Access Denied page.


Go to Monitoring > Network Overview to monitor the Access Rule hits. 

Click on the specific rule (a hyperlink) to view more details.

Go to Events > filter using: Rule Action=Block > click Filter.

Hover to a specific event > click View Details.





I created a third Access Control rule to block Malware.

Note the Action: Allow is needed for Malware and File inspection to work properly.

Click Add > select the Order: 1 > type a Title: Block-Malware > Action: Allow > select Source > Zone: inside_zone > select Networks: Obj-192.168.1.0-24 > select Destination > Zone: outside_zone.

Go to Intrusion Policy tab > enable Intrusion Policy > Level of Intrusion Policy > select: Balanced Security and Connectivity.

Go to File Policy tab > Select the File Policy: Block Malware All.

Go to Logging tab > Select Log Action: At Beginning and End of Connection.

Click OK > Deployment > Deploy Now.

You can go to Eicar.org to download a test malware file. 

These are harmless file used to test your Anti-Virus or Anti-Malware policy.


Go to Monitoring > Network Overview. Notice the Block-Malware Access Rule got hits.

Click the specific rule (a hyperlink) to view more details.