My Cybersecurity Journal: December 2020

To configure a NAT policy in FTD, go to Policies tab (top) > NAT.

Notice there's a default Dynamic NAT which allows any IPv4 subnet on the inside to be NAT'd (PAT) using the outside interface (Internet).

Under Actions column (far right) > click Edit (blue pencil icon).

Change the Title: IN-OUT-DNAT > leave the default Status: enable.

Under Placement > leave the default option: Before Auto NAT Rules.

Under Type > leave the default: Dynamic.

Under Packet Translation tab > Original Packet > Source Interface > leave the default option: inside.

Under Source Address > click Create new Network.

Type a Name: Obj-192.168.1.0-24 (a "/" is an invalid character) > optionally type a friendly Description > Under Type > leave the default option: Network > under Network > type the Network and Subnet Mask in CIDR notiation: 192.168.1.0/24 > click OK.

Select the newly created object under Source Address.

Leave the default options for the Translated Packet.

Click on the Show Diagram to view the NAT translation diagram > click OK to finish.

Click Deployment (top icon with amber/orange dot).

View the Pending Changes > click Deploy Now.

I visited Cisco.com to test.

You can use the show nat, show xlate and show conn which are similar to the ASA commands.

> show nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic Obj-192.168.1.0-24 interface

translate_hits = 459, untranslate_hits = 1

Auto NAT Policies (Section 2)

1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf2 interface service tcp https https

translate_hits = 0, untranslate_hits = 138

2 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_intf2 interface service tcp ssh ssh

translate_hits = 0, untranslate_hits = 0

3 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_ipv6_intf2 interface ipv6 service tcp ssh ssh

translate_hits = 0, untranslate_hits = 0

4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface

translate_hits = 0, untranslate_hits = 0

5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf3 interface

translate_hits = 378, untranslate_hits = 181

6 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface

translate_hits = 0, untranslate_hits = 0

7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6

translate_hits = 0, untranslate_hits = 0

8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6

translate_hits = 0, untranslate_hits = 0

9 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6

translate_hits = 0, untranslate_hits = 0

> show nat

detail divert-table interface object object-group pool

proxy-arp translated |

> show nat detail

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic Obj-192.168.1.0-24 interface

translate_hits = 490, untranslate_hits = 1

Source - Origin: 192.168.1.0/24, Translated: 116.87.123.45/18

Auto NAT Policies (Section 2)

1 (nlp_int_tap) to (inside) source static nlp_server_0_http_intf2 interface service tcp https https

translate_hits = 0, untranslate_hits = 138

Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24

Service - Protocol: tcp Real: https Mapped: https

2 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_intf2 interface service tcp ssh ssh

translate_hits = 0, untranslate_hits = 0

Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24

Service - Protocol: tcp Real: ssh Mapped: ssh

3 (nlp_int_tap) to (inside) source static nlp_server_0_ssh_ipv6_intf2 interface ipv6 service tcp ssh ssh

translate_hits = 0, untranslate_hits = 0

Source - Origin: fd00:0:0:1::3/128, Translated:

Service - Protocol: tcp Real: ssh Mapped: ssh

4 (nlp_int_tap) to (inside) source dynamic nlp_client_0_intf2 interface

translate_hits = 0, untranslate_hits = 0

Source - Origin: 169.254.1.3/32, Translated: 192.168.1.1/24

5 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf3 interface

translate_hits = 380, untranslate_hits = 181

Source - Origin: 169.254.1.3/32, Translated: 116.87.123.45/18

6 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf4 interface

translate_hits = 0, untranslate_hits = 0

Source - Origin: 169.254.1.3/32, Translated: 0.0.0.0/32

7 (nlp_int_tap) to (inside) source dynamic nlp_client_0_ipv6_intf2 interface ipv6

translate_hits = 0, untranslate_hits = 0

Source - Origin: fd00:0:0:1::3/128, Translated:

8 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf3 interface ipv6

translate_hits = 0, untranslate_hits = 0

Source - Origin: fd00:0:0:1::3/128, Translated:

9 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf4 interface ipv6

translate_hits = 0, untranslate_hits = 0

Source - Origin: fd00:0:0:1::3/128, Translated:

> show xlate

356 in use, 358 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

s - static, T - twice, N - net-to-net

TCP PAT from nlp_int_tap:169.254.1.3 443-443 to inside:192.168.1.1 443-443

flags sr idle 0:00:28 timeout 0:00:00

NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0

flags sIT idle 0:30:27 timeout 0:00:00

UDP PAT from inside:192.168.1.10/61847 to outside:116.87.123.45/61847 flags ri idle 0:00:00 timeout 0:00:30

UDP PAT from inside:192.168.1.10/64302 to outside:116.87.123.45/64302 flags ri idle 0:00:01 timeout 0:00:30

UDP PAT from inside:192.168.1.10/64301 to outside:116.87.123.45/64301 flags ri idle 0:00:01 timeout 0:00:30

TCP PAT from inside:192.168.1.10/44752 to outside:116.87.123.45/44752 flags ri idle 0:00:01 timeout 0:00:30

UDP PAT from inside:192.168.1.10/56617 to outside:116.87.123.45/56617 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.10/54290 to outside:116.87.123.45/54290 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.10/60022 to outside:116.87.123.45/60022 flags ri idle 0:00:06 timeout 0:00:30

UDP PAT from inside:192.168.1.10/52535 to outside:116.87.123.45/52535 flags ri idle 0:00:08 timeout 0:00:30

> show conn

123 in use, 371 most used

Inspect Snort:

preserve-connection: 0 enabled, 0 in effect, 0 most enabled, 0 most in effect

TCP outside 104.244.42.3:443 inside 192.168.1.10:44855, idle 0:00:37, bytes 7936, flags UxIO

TCP outside 157.240.13.35:443 inside 192.168.1.10:44836, idle 0:00:38, bytes 15225, flags UxIO

TCP outside 52.98.42.130:443 inside 192.168.1.10:63005, idle 0:00:23, bytes 13124, flags UxIO

TCP outside 40.100.55.2:443 inside 192.168.1.10:63006, idle 0:00:13, bytes 25343, flags UxIO

TCP outside 40.100.29.34:443 inside 192.168.1.10:10477, idle 0:11:54, bytes 9876, flags UxIO

TCP outside 54.254.251.1:443 inside 192.168.1.10:36362, idle 0:00:37, bytes 7259, flags UxIO

TCP outside 34.198.199.106:443 inside 192.168.1.10:28062, idle 0:00:37, bytes 17145, flags UxIO

TCP outside 34.198.199.106:443 inside 192.168.1.10:36361, idle 0:00:10, bytes 18003, flags UxIO

TCP outside 173.37.149.105:443 inside 192.168.1.10:44840, idle 0:00:40, bytes 11198, flags UxIO

TCP outside 173.37.149.105:443 inside 192.168.1.10:40935, idle 0:00:42, bytes 10445, flags UxIO

TCP outside 173.37.149.105:443 inside 192.168.1.10:40930, idle 0:00:43, bytes 20451, flags UxIO

TCP outside 74.125.200.155:443 inside 192.168.1.10:7615, idle 0:00:39, bytes 12666, flags UxIO

TCP outside 172.217.24.102:443 inside 192.168.1.10:36357, idle 0:00:39, bytes 5063, flags UxIO

TCP outside 74.125.24.155:443 inside 192.168.1.10:36367, idle 0:00:37, bytes 6834, flags UxIO

TCP outside 74.125.24.155:443 inside 192.168.1.10:44843, idle 0:00:41, bytes 4747, flags UxIO

TCP outside 104.244.42.69:443 inside 192.168.1.10:44846, idle 0:00:38, bytes 6786, flags UxIO

TCP outside 52.114.14.151:443 inside 192.168.1.10:19879, idle 0:00:26, bytes 10267, flags UxIO

TCP outside 52.114.128.43:443 inside 192.168.1.10:18370, idle 0:00:00, bytes 18962, flags UxIO

TCP outside 52.114.128.43:443 inside 192.168.1.10:15920, idle 0:00:49, bytes 16654, flags UxIO

TCP outside 111.223.64.42:443 inside 192.168.1.10:19838, idle 0:05:56, bytes 6617, flags UxIO

TCP outside 72.163.10.124:443 inside 192.168.1.10:40931, idle 0:00:43, bytes 11399, flags UxIO

TCP outside 52.17.192.1:443 inside 192.168.1.10:4630, idle 0:00:09, bytes 69964, flags UxIO

UDP nlp_int_tap 169.254.1.3:123 outside 168.63.232.55:123, idle 0:00:31, bytes 7920, flags -

TCP outside 74.125.200.106:443 inside 192.168.1.10:44835, idle 0:00:38, bytes 13724, flags UxIO

There are several FTD Smart License types: Base License (perpetual), Threat, Malware, URL License which are term-based licenses and RA VPN (can be either perpetual or term-based).

• Base License: included by default which enables Networking, Firewall and Application Visibility Control (AVC)
• Threat- enables IPS and Security Intelligence
• Malware- enables dynamic analysis and sandboxing

• URL Filtering – enables category and reputation-based URL filtering

Aside from activating the 90-day Evaluation license, you'll also need to manually Enable each feature for Threat, Malware and URL Licenses.

Go to Smart License > View Configuration > Enable License.

You can Register the FTD device to the Cisco Smart Software Manager.

The Base License is automatically included and Enabled by default. The URL License was enabled in a previous post.

Click Enable under each License.

Notice the Status for the Threat, Malware and URL Licenses were all Enabled.

In addition to the URL License, it's best practice to ensure the Query Cisco CSI for Unknown URLs is enabled (enabled by default).

Go to Device > System Settings > Traffic Setting > URL Filtering Preferences.

I created my first Access Control rule to block a specific website or URL: Cisco.com

Go to Policies > Access Control > Add.

Type a Name: Block-Cisco-Site > select Action: Block.

Under Source Zones > click Add (plus icon) > select inside_zone > click OK.

Under Networks > click Add > select Obj-192.168.1.0-24 > click OK.

Under Destination > Zones > Add > select: outside_zone.

Go to URLs tab > click Add (blue plus icon).

Click Create new URL.

Type the object name: Cisco-site > optionally type a Description > type the URL: cisco.com > click OK.

Select the newly created URL object > click OK.

Click OK.

Go to Logging tab > Select Log Action: At Beginning and End of Connection > click OK (bottom).

Use this type of Log Action with caution. You typically use this in a lab or when troubleshooting.

You can edit the Rule number or drag and drop its order. It's best practice to put the specific IP or sites to block on top of the Access Control rules.

Click Deployment > Deploy Now.

I visited Cisco.com but got an Access Denied page.

Go to Monitoring > Dashboard > Network Overview.

Notice there's a hit count (20) for the URL filtering rule: Block-Cisco-Site.

Click the rule name (a hyperlink) to view more details.

Go to Events (bottom) to view real-time event logs.

Click Pause to temporarily pause the generating of Syslog messages.

Notice a Block under the Action column. Hover to a specific log > click View Details.

You can also type/search in the Filter Criteria field > click Filter to narrow down specific events.

I used the filter: Rule Action=Block.

I created a second Access Control rule to block websites according to a Category.

Click Add > select the Order: 1 > type a Title: Block-Porn > Action: Block > select Source > Zone: inside_zone > select Networks: Obj-192.168.1.0-24 > select Destination > Zone: outside_zone.

Go to URLs tab > type/search for Adult and Pornography > click OK.

Go to Logging > Select Log Action: At Beginning and End of Connection > click OK.

Click Deployment > Deploy Now.

I visited some Adult/Porn sites and got an Access Denied page.

Go to Monitoring > Network Overview to monitor the Access Rule hits.

Click on the specific rule (a hyperlink) to view more details.

Go to Events > filter using: Rule Action=Block > click Filter.

Hover to a specific event > click View Details.

I created a third Access Control rule to block Malware.

Note the Action: Allow is needed for Malware and File inspection to work properly.

Click Add > select the Order: 1 > type a Title: Block-Malware > Action: Allow > select Source > Zone: inside_zone > select Networks: Obj-192.168.1.0-24 > select Destination > Zone: outside_zone.